susQR QR code safety scanner

About susQR

Scan first. Click later.

What is susQR?

susQR shows you where a QR code actually leads before you tap anything. We run the link through Snort IDS rules and VirusTotal so you know whether it's safe — or sketchy.

Why we built this

QR codes are on everything now — parking meters, restaurant tables, flyers on telephone poles. The problem is you can't tell a legit QR code from a malicious one just by looking at it. Attackers stick fake QR stickers over real ones, and people scan them without thinking twice. That's called quishing (QR + phishing), and it's been growing fast.

The core problem

When you scan a QR code with your phone's default camera, it opens the link immediately. There's no preview, no safety check. You're trusting a random sticker. susQR sits between that scan and any action — so you see where you're going first.

How it works

Upload a QR code image or point your camera at one. We decode it, then run it through several checks:

URL Preview

See the actual destination — including any redirects the link tries to sneak through.

Snort IDS

Pattern-based threat detection. Catches known phishing tricks, suspicious domains, and shady URL structures.

VirusTotal

Checks the URL against 70+ antivirus engines. If anyone's flagged it, you'll know.

Risk Scoring

Combines all findings into a simple risk score: low, medium, high, or critical.

Features

  • Dual QR decode engines — pyzbar for speed, qreader as fallback for tricky codes
  • Redirect tracing — follows URL shorteners and redirects so you see the final destination
  • No account needed — just scan and go
  • Camera support — works on your phone, auto-detects QR codes from the live feed
  • Auto-cleanup — uploaded images are deleted after 24 hours

Tech stack

  • Flask on Python — handles the web app and API
  • SQLite — stores scan results (lightweight, no setup needed)
  • jsQR in the browser — decodes QR codes from the camera in real time
  • Docker-ready — ships with a Dockerfile and compose config
  • CSRF + rate limiting built in
Try it

Got a suspicious QR code? Check it now.

Scan a QR Code What is Quishing? Why susQR?
Privacy
  • Images auto-delete after 24 hours
  • No tracking cookies
  • No data sold to third parties
  • Email is optional and only for notifications
  • HTTPS everywhere
Who uses susQR?
  • Anyone who's about to scan a QR code and wants to check it first
  • IT teams doing security awareness training
  • Schools and universities teaching cybersecurity basics
  • Small businesses that want to verify QR codes on marketing materials
What's next
  • Native mobile app (iOS/Android)
  • API access for bulk scanning
  • Browser extension for one-click scans
  • More language support
Support susQR

This tool is free. If it's saved you from a bad link, consider helping keep it running.

Donate
© 2026 susQR.com – built by Nerdhub.co
Tweet | Share on Facebook