Link Cloaking hides the original URL and shows only a short link in the browser address bar. However, as you might notice while cloaking, not all the destination URLs may be masked.

Note: Link Cloaking requires the Personal Plan.

On Short.io, in case of cloaking prohibition, you see the error: "Cloaking is forbidden by destination URL with X-Frame-Options header."

Why is cloaking forbidden?

The website, you're trying to cloak, has the X-Frame-Options header. What does it mean?

X-Frame-Options header tells your browser how to behave when handling your site’s content. The main reason for its inception was to provide clickjacking protection. This includes a page rendering in a frame, iframe, or object. Iframes are used to embed and isolate third-party content into a website.

Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. The users believe they are clicking the visible page but in fact they are clicking an invisible element on the additional page. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.

Examples of items that use iframes include social media sharing buttons, Google Maps, video players, audio players, 3rd party advertising, and even some OAuth implementations.

Note: YouTube, Vimeo, Google, Twitter, Facebook, PayPal — a short list of the services, which forbid masking due to security restriction.

Cloaking is forbidden for a website with HTTP. An unsecured site can't be masked with a secured short link. This prevents users from seeing that the website is dangerous.

HTTP doesn't encrypt data transfer between the user and the site. A third-party user can spy on the actions. HTTP simplifies the theft of personal data and a device infection with malware.

Short.io provides short URLs with SSL certificate. Make sure the website you want to cloak has HTTPS links to succeed in link cloaking.