When most security writeups talk about "your attack surface," they mean what runs on your servers — your dependencies, your auth flow, your perimeter. That's the part you can patch. The part you can't is everything your pages tell a browser to fetch from somewhere else: scripts, embeds, images, iframes, and the links your users click on their way out.
Internal pages you control. External destinations you don't. That's the whole problem in one sentence.
Internal vs external — and why the line matters
An internal link points at a page you ship. If it 404s, your CMS told it to. If its content changes, you wrote the change. If you don't like it, you redeploy.
An external link points at infrastructure owned by someone else. You wrote the <a> tag, but the destination's content, ownership, DNS, TLS, and threat profile are all somebody else's to mutate. Your link is a pointer; the thing it points at is mutable state you have no read access to.
The same is true for any third-party resource your page loads at render time — analytics scripts, font CDNs, embedded widgets, ad tags, OAuth iframes, polyfill bundles. The browser fetches them. The user trusts them because they're served on your origin. You picked them, but you didn't write them, and you usually don't know when they change.
How the surface area actually gets weaponized
Ownership change. A domain you linked to in 2022 is up for renewal next month. The owner doesn't renew. A dropcatcher buys it; a parking service serves ads against the residual traffic. Your "further reading" link is now a clickthrough to a sportsbook or a phishing page. None of your code changed.
Vendor compromise. A third-party script you embed (analytics, chat widget, polyfill, "free" geo-IP plugin) is compromised at the source. The Polyfill.io takeover in mid-2024 hit roughly 100,000 sites in a single weekend — the operators of those sites didn't push a release, they just kept loading what they'd always loaded.
Silent content drift. A reference site you linked to gets sold to a different operator who repurposes it. Same URL, same domain, completely different intent. Visitors click your link expecting one thing and land on another.
Compliance exposure. A regulated site (healthcare, finance, education, government) linking outward to content that drifts into off-policy territory is a finding, regardless of intent. Auditors don't grade your intent; they grade what the page does now.
SEO drag. Search engines have been measuring outbound-link rot and outbound-link reputation for years. A growing pile of dead, parked, or low-reputation destinations is a quantifiable demotion.
Time is the unfixable part
Links are static. The internet behind them is not. A link written in 2020 is still trying to fetch in 2026 — but everything that determines what comes back has changed. Domain ownership, DNS records, hosting providers, TLS certs, the people who hold the SSH keys. None of that is in your git history.
Most operators don't notice the drift until someone screenshots it. That's the failure mode worth designing against.
Where LinkSentry fits
LinkSentry catalogs every outbound destination your pages actually hand to a browser — through real user telemetry, not a crawler — and watches each one for change. Specifically:
- Dead, redirected, and broken links
- Parked, NSFW, or category-restricted destinations
- Malware, phishing, and scam-delivery listings from threat-intel feeds
- Re-registered or recently-transferred domains
- New third-party scripts on sensitive pages (checkout, login, anything you flag)
You get alerts when something changes — not a quarterly audit, not a manual recrawl. The point is to compress detection time from "weeks after a customer notices" to "before the next visitor clicks."
External links don't have to be a silent liability. They just have to be inventoried, watched, and diffable. That's the missing layer.
Related Posts: