diff --git a/.agents/scratchpad/2026-02-15-smolterms/project-landing-page/context.md b/.agents/scratchpad/2026-02-15-smolterms/project-landing-page/context.md
new file mode 100644
index 0000000..e99a923
--- /dev/null
+++ b/.agents/scratchpad/2026-02-15-smolterms/project-landing-page/context.md
@@ -0,0 +1,35 @@
+# Context: SmolTerms Project Landing Page
+
+## Requirements
+- Static landing page at `website/` directory
+- Vanilla HTML + Tailwind CSS (CDN) + minimal JS
+- No build system required
+- Light pastel/offwhite color palette with darker contrast buttons
+- Responsive (mobile 375px, desktop 1280px)
+
+## Sections Required
+1. Hero/Header - project name, tagline
+2. What it does - privacy policy analyzer, 5 dimensions
+3. Motivation - why privacy policies need simplification
+4. How it works - extension flow explanation
+5. Install - Firefox/Chrome buttons (placeholder URLs)
+6. Scoring explanation - 5 dimensions + 4 risk levels with colors
+7. Try It (placeholder) - `<section id="try-it">` for URL analysis (task-03)
+8. Footer - GitHub repo, license
+
+## Design Decisions
+- **Tailwind CSS via CDN** - user preference, no build step needed
+- **Color palette**: Offwhite backgrounds (#f8f7f4 / #faf9f6), darker offwhite buttons (#e8e5df / #d4d0c8)
+- **Risk level colors from design doc**: Green (8-10), Yellow (5-0-7.9), Orange (3-4.9), Red (1-2.9)
+- **Font**: Inter via Google Fonts for clean modern look
+
+## Scoring System (from design doc)
+| Dimension | What it measures |
+|-----------|-----------------|
+| Data Collection | How much personal data is collected |
+| Data Sharing | Whether data is shared/sold to third parties |
+| User Rights | Ability to access, delete, export data |
+| Retention | How long data is kept |
+| Security | Security measures, encryption, breach notification |
+
+Risk levels: Low (8-10, green), Moderate (5-7.9, yellow), High (3-4.9, orange), Critical (1-2.9, red)
diff --git a/.agents/scratchpad/2026-02-15-smolterms/project-landing-page/plan.md b/.agents/scratchpad/2026-02-15-smolterms/project-landing-page/plan.md
new file mode 100644
index 0000000..90e7a00
--- /dev/null
+++ b/.agents/scratchpad/2026-02-15-smolterms/project-landing-page/plan.md
@@ -0,0 +1,33 @@
+# Plan: SmolTerms Project Landing Page
+
+## Test Strategy
+Since this is a static HTML/CSS/JS page with no build system, traditional unit tests don't apply. Validation:
+- Manual browser check: all sections render correctly
+- HTML structure verification: `<section id="try-it">` placeholder exists
+- Responsive: verify layout at 375px and 1280px viewports
+- All required sections present in HTML
+
+## Implementation Plan
+
+### Files to Create
+1. `website/index.html` - Main page with all sections, Tailwind CDN
+2. `website/script.js` - Smooth scrolling, mobile nav toggle
+3. `website/README.md` - Local dev and GitHub Pages deployment instructions
+
+### Design Approach
+- Tailwind CSS via CDN (no build step)
+- Google Fonts: Inter
+- Color palette: offwhite backgrounds, darker offwhite/warm gray buttons
+- Risk level colors used as accents in scoring section
+- Clean, minimal layout with generous whitespace
+
+### Section Breakdown
+1. **Nav** - Fixed top, logo + nav links
+2. **Hero** - Large heading, tagline, CTA buttons
+3. **What it does** - Brief feature overview
+4. **Motivation** - Why SmolTerms exists
+5. **How it works** - 3-step visual flow
+6. **Install** - Browser extension download buttons
+7. **Scoring** - 5 dimensions grid + risk level legend
+8. **Try It** - Placeholder section for URL analysis
+9. **Footer** - Links, license
diff --git a/.agents/scratchpad/2026-02-15-smolterms/project-landing-page/progress.md b/.agents/scratchpad/2026-02-15-smolterms/project-landing-page/progress.md
new file mode 100644
index 0000000..4464106
--- /dev/null
+++ b/.agents/scratchpad/2026-02-15-smolterms/project-landing-page/progress.md
@@ -0,0 +1,21 @@
+# Progress: SmolTerms Project Landing Page
+
+## Setup
+- [x] Create documentation directory
+- [x] Read task file and design document
+- [x] Create context.md
+
+## Implementation
+- [x] Create `website/` directory structure
+- [x] Build `index.html` with all sections (hero, features, motivation, how-it-works, install, scoring, try-it, footer)
+- [x] Style with Tailwind CSS (CDN) - pastel/offwhite palette with custom cream color scale
+- [x] Add `script.js` for smooth scrolling and mobile nav toggle
+- [x] Create `website/README.md` with local dev and GitHub Pages deploy instructions
+- [x] Validate: all acceptance criteria met (sections, scoring, responsive classes, try-it placeholder)
+- [ ] Commit
+
+## Decisions
+- Used Tailwind CDN with custom config (cream color palette, risk level colors)
+- Inter font via Google Fonts for clean modern look
+- SVG icons inline (no external icon library dependency)
+- Firefox/Chrome install buttons use placeholder `#` URLs
diff --git a/.agents/scratchpad/2026-02-15-smolterms/website-url-analysis/context.md b/.agents/scratchpad/2026-02-15-smolterms/website-url-analysis/context.md
new file mode 100644
index 0000000..4ad5fd6
--- /dev/null
+++ b/.agents/scratchpad/2026-02-15-smolterms/website-url-analysis/context.md
@@ -0,0 +1,75 @@
+# Context: Website URL Analysis Feature
+
+## Project Structure
+- `website/index.html` - Landing page using Tailwind CSS CDN, Inter font, vanilla JS
+- `website/script.js` - Mobile menu toggle + smooth scrolling (28 lines)
+- No `styles.css` - all styling via Tailwind utility classes inline
+- No build system - plain static files served directly
+
+## Requirements Summary
+
+### Functional
+1. Replace the `<section id="try-it">` placeholder (line 279-290) with:
+   - URL input field with placeholder text
+   - "Analyze" submit button
+   - Results container (hidden by default)
+2. Form submission flow:
+   - Client-side URL validation (basic format check)
+   - Loading state (spinner, disabled button, progress text)
+   - POST to `{API_BASE_URL}/api/v1/analyze-url` with `{ "url": "..." }`
+   - Render results or errors
+3. Results display: overall score + risk badge, 5 dimension scores, key concerns list, summary, cached indicator
+4. Error handling: network errors, fetch failures (suggest extension), rate limiting (429), invalid URL, non-policy content
+5. Configurable API base URL (default `http://localhost:8080`)
+6. Smooth scroll to results after analysis
+
+### Backend API Contract
+- **Request:** `POST /api/v1/analyze-url` with `{ "url": "..." }`
+- **Success Response (200):** `AnalysisResult` struct:
+  ```json
+  {
+    "url": "...",
+    "overall_score": 7.2,
+    "risk_level": "moderate",  // "low"|"moderate"|"high"|"critical"|"not_policy"
+    "dimensions": {
+      "data_collection": { "score": 7.0, "summary": "..." },
+      "data_sharing": { "score": 6.5, "summary": "..." },
+      "user_rights": { "score": 8.0, "summary": "..." },
+      "retention": { "score": 7.5, "summary": "..." },
+      "security": { "score": 7.0, "summary": "..." }
+    },
+    "key_concerns": ["concern1", "concern2"],
+    "summary": "...",
+    "cached": false,
+    "analyzed_at": "2026-02-15T..."
+  }
+  ```
+- **Error Response:** `{ "error": "..." }` with appropriate HTTP status codes
+  - 400: Invalid request / empty URL
+  - 429: Rate limited (5 req/min/IP)
+  - 502: Fetch failure / analysis failure
+  - 504: Analysis timeout
+
+### Risk Level Colors (from Tailwind config)
+- Low (8-10): `risk-low` (#4ade80 green)
+- Moderate (5-7.9): `risk-moderate` (#facc15 yellow)
+- High (3-4.9): `risk-high` (#fb923c orange)
+- Critical (1-2.9): `risk-critical` (#f87171 red)
+
+## Existing Patterns
+- Website uses Tailwind CSS CDN - no custom CSS file, all utility classes
+- Existing sections use `max-w-3xl` or `max-w-5xl` with `mx-auto`, `px-6`, `py-20`
+- Cards use `bg-cream-100 rounded-xl p-5/p-6 border border-cream-300` pattern
+- Colors from custom cream palette (cream-50 through cream-900)
+- Risk colors already defined in Tailwind config
+- JS is vanilla, no framework, no modules
+- Try-it section currently has `max-w-3xl mx-auto text-center` layout
+
+## Implementation Path
+1. Edit `website/index.html` - Replace try-it placeholder with form HTML + results container
+2. Edit `website/script.js` - Add all JS logic (validation, API calls, rendering, error handling)
+3. Add inline `<style>` tag for spinner animation (only thing Tailwind can't do with utilities)
+
+## Dependencies
+- Backend `POST /api/v1/analyze-url` endpoint (already implemented)
+- Backend CORS must allow website origin
diff --git a/.agents/scratchpad/2026-02-15-smolterms/website-url-analysis/plan.md b/.agents/scratchpad/2026-02-15-smolterms/website-url-analysis/plan.md
new file mode 100644
index 0000000..5627698
--- /dev/null
+++ b/.agents/scratchpad/2026-02-15-smolterms/website-url-analysis/plan.md
@@ -0,0 +1,73 @@
+# Plan: Website URL Analysis Feature
+
+## Test Strategy
+
+This is a vanilla JS frontend with no build system or test framework. Testing is **manual verification** against the acceptance criteria. Each criterion maps to a specific UI interaction that can be verified by running the local dev server and interacting with the form.
+
+### Manual Test Scenarios
+
+1. **URL Form Displays** - Load page, scroll to try-it section, verify input + button visible
+2. **Empty URL validation** - Click Analyze with empty input -> validation message, no API call
+3. **Invalid URL validation** - Type "not a url", click Analyze -> validation message, no API call
+4. **Loading state** - Submit valid URL -> spinner visible, button disabled, progress text shows
+5. **Successful analysis** - Submit real policy URL with running backend -> scores, risk badge, dimensions, concerns, summary all render
+6. **Risk level colors** - Verify green/yellow/orange/red match score ranges
+7. **Fetch failure** - Submit URL backend can't fetch -> error + extension suggestion
+8. **Rate limit (429)** - Trigger rate limit -> "too many requests" message
+9. **Non-policy content** - Submit non-policy URL -> friendly "not a privacy policy" message
+10. **Smooth scroll** - After results render, page scrolls to results section
+11. **Responsive** - Check results on mobile viewport (no horizontal scroll)
+12. **Cached indicator** - If response has `cached: true`, show indicator
+
+## Implementation Plan
+
+### Step 1: HTML - Replace try-it placeholder
+- Replace the placeholder div (lines 279-290 of index.html) with:
+  - Form with URL input + Analyze button
+  - Loading state container (hidden)
+  - Results container (hidden)
+  - Error container (hidden)
+- Add a `<style>` block in `<head>` for spinner keyframe animation
+
+### Step 2: CSS via Tailwind classes
+- All styling via Tailwind utility classes (matching existing pattern)
+- Only custom CSS needed: `@keyframes spin` for the loading spinner
+- Score cards: grid layout, cream card styling like existing dimension cards
+- Risk badge: colored pill using `bg-risk-*` classes from Tailwind config
+- Dimension scores: flex layout with score number + summary text
+- Error states: red-tinted cards with appropriate messaging
+
+### Step 3: JavaScript implementation
+Add to `script.js`:
+- `API_BASE` constant (configurable, defaults to `http://localhost:8080`)
+- URL validation function (basic URL format check)
+- Form submit handler
+- `analyzeURL(url)` - fetch call to backend
+- `renderResults(data)` - builds results HTML from AnalysisResult
+- `renderError(message, suggestion)` - shows error with optional suggestion
+- `getRiskColor(riskLevel)` - maps risk level string to Tailwind color class
+- `getDimensionLabel(key)` - maps snake_case keys to display labels
+- `showLoading()` / `hideLoading()` - toggle loading state
+- `resetState()` - clears previous results/errors
+
+### Step 4: Error handling matrix
+| HTTP Status | Backend Error Message | Frontend Display |
+|-------------|----------------------|------------------|
+| Network error | N/A | "Could not reach the analysis server" |
+| 400 | "Invalid JSON..." / "url required" | Show backend message |
+| 429 | N/A (rate limiter) | "Too many requests, please wait and try again" |
+| 502 | "Failed to fetch..." | Backend message + "Try using the browser extension instead" |
+| 504 | "Analysis timed out..." | "Analysis timed out. Please try again." |
+| 200 + risk_level="not_policy" | N/A | "This page doesn't appear to be a privacy policy" |
+
+## Implementation Checklist
+- [ ] Add spinner keyframe CSS in `<head>`
+- [ ] Replace try-it placeholder HTML with form + results + error containers
+- [ ] Add `API_BASE` constant to script.js
+- [ ] Implement URL validation
+- [ ] Implement form submit handler with loading state
+- [ ] Implement API fetch call
+- [ ] Implement results rendering (overall score, risk badge, dimensions, concerns, summary, cached)
+- [ ] Implement error rendering (all error types)
+- [ ] Implement smooth scroll to results
+- [ ] Manual verification of all acceptance criteria
diff --git a/.agents/scratchpad/2026-02-15-smolterms/website-url-analysis/progress.md b/.agents/scratchpad/2026-02-15-smolterms/website-url-analysis/progress.md
new file mode 100644
index 0000000..6f99e93
--- /dev/null
+++ b/.agents/scratchpad/2026-02-15-smolterms/website-url-analysis/progress.md
@@ -0,0 +1,38 @@
+# Progress: Website URL Analysis Feature
+
+## Setup
+- [x] Created documentation directory structure
+- [x] Discovered project files (no CODEASSIST.md found)
+
+## Explore Phase
+- [x] Analyzed requirements and context
+- [x] Researched existing patterns (Tailwind-only styling, cream palette, card patterns)
+- [x] Created context document
+
+## Plan Phase
+- [x] Designed test strategy (manual verification - no test framework for static site)
+- [x] Created implementation plan
+
+## Code Phase
+- [x] Implement HTML form in try-it section (replaced placeholder with form + results + error containers)
+- [x] Add spinner CSS keyframe animation in `<head>`
+- [x] All styling via Tailwind utility classes (matching existing patterns)
+- [x] Implement JS: URL validation (`new URL()` + protocol check), API fetch, result rendering
+- [x] Implement error handling (429, 502, 504, network errors, not_policy)
+- [x] XSS protection via `escapeHTML()` for API response content
+- [x] Refactor and review - conventions match existing codebase
+
+## Validate
+- [x] JS syntax validation: passed
+- [x] HTML structure validation: passed
+- [x] All 10 acceptance criteria addressed in implementation
+
+## Decisions
+- Used `<style>` tag for spinner animation (only custom CSS needed; Tailwind handles everything else)
+- Used `new URL()` constructor for URL validation (browser-native, handles edge cases)
+- Used `escapeHTML()` via DOM text content assignment for XSS prevention
+- Dimension scores rendered in fixed order matching the scoring section of the landing page
+- "Analyze another" button scrolls back to form and resets state
+
+## Commit
+- [ ] Conventional commit created
diff --git a/backend/internal/api/fetcher.go b/backend/internal/api/fetcher.go
new file mode 100644
index 0000000..4a783c8
--- /dev/null
+++ b/backend/internal/api/fetcher.go
@@ -0,0 +1,89 @@
+package api
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+)
+
+const (
+	defaultMaxBodySize  = 5 * 1024 * 1024 // 5MB
+	defaultUserAgent    = "SmolTerms/1.0 (+https://github.com/Parth576/smolterms)"
+	defaultMaxRedirects = 5
+)
+
+// Fetcher handles server-side HTTP fetching with SSRF protection and safety limits.
+type Fetcher struct {
+	MaxBodySize  int64
+	UserAgent    string
+	MaxRedirects int
+	Client       *http.Client
+	// ValidateFunc validates a URL before fetching. Defaults to ValidateURL.
+	ValidateFunc func(string) error
+}
+
+// NewFetcher creates a Fetcher with default settings.
+func NewFetcher() *Fetcher {
+	f := &Fetcher{
+		MaxBodySize:  defaultMaxBodySize,
+		UserAgent:    defaultUserAgent,
+		MaxRedirects: defaultMaxRedirects,
+		ValidateFunc: ValidateURL,
+	}
+	f.Client = &http.Client{
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			if len(via) >= f.MaxRedirects {
+				return fmt.Errorf("too many redirects (max %d)", f.MaxRedirects)
+			}
+			if err := f.ValidateFunc(req.URL.String()); err != nil {
+				return fmt.Errorf("redirect blocked: %w", err)
+			}
+			return nil
+		},
+	}
+	return f
+}
+
+// Fetch downloads the page at rawURL and returns the HTML body.
+// It validates the URL for SSRF, checks content type, and limits body size.
+func (f *Fetcher) Fetch(ctx context.Context, rawURL string) (string, error) {
+	if err := f.ValidateFunc(rawURL); err != nil {
+		return "", fmt.Errorf("url validation failed: %w", err)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, rawURL, nil)
+	if err != nil {
+		return "", fmt.Errorf("failed to create request: %w", err)
+	}
+	req.Header.Set("User-Agent", f.UserAgent)
+	req.Header.Set("Accept", "text/html")
+
+	resp, err := f.Client.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("failed to fetch url: %w. Try using the browser extension instead", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		return "", fmt.Errorf("server returned status %d. The page may be restricted — try using the browser extension instead", resp.StatusCode)
+	}
+
+	ct := resp.Header.Get("Content-Type")
+	if !strings.Contains(strings.ToLower(ct), "text/html") {
+		return "", fmt.Errorf("unexpected content type %q: expected text/html", ct)
+	}
+
+	// Read up to MaxBodySize + 1 byte to detect oversized responses.
+	limited := io.LimitReader(resp.Body, f.MaxBodySize+1)
+	body, err := io.ReadAll(limited)
+	if err != nil {
+		return "", fmt.Errorf("failed to read response body: %w", err)
+	}
+	if int64(len(body)) > f.MaxBodySize {
+		return "", fmt.Errorf("response body too large (exceeds %d bytes)", f.MaxBodySize)
+	}
+
+	return string(body), nil
+}
diff --git a/backend/internal/api/fetcher_test.go b/backend/internal/api/fetcher_test.go
new file mode 100644
index 0000000..6ce4dac
--- /dev/null
+++ b/backend/internal/api/fetcher_test.go
@@ -0,0 +1,172 @@
+package api
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+)
+
+// noopValidator skips SSRF validation for httptest servers (which use 127.0.0.1).
+func noopValidator(_ string) error { return nil }
+
+// newTestFetcher creates a Fetcher with SSRF validation disabled for local test servers.
+func newTestFetcher() *Fetcher {
+	f := NewFetcher()
+	f.ValidateFunc = noopValidator
+	return f
+}
+
+func TestFetcher(t *testing.T) {
+	t.Run("fetches HTML content successfully", func(t *testing.T) {
+		ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Content-Type", "text/html; charset=utf-8")
+			fmt.Fprint(w, "<html><body>Privacy Policy</body></html>")
+		}))
+		defer ts.Close()
+
+		f := newTestFetcher()
+		html, err := f.Fetch(context.Background(), ts.URL)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if !strings.Contains(html, "Privacy Policy") {
+			t.Errorf("html = %q, want it to contain 'Privacy Policy'", html)
+		}
+	})
+
+	t.Run("sets correct User-Agent header", func(t *testing.T) {
+		var gotUA string
+		ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			gotUA = r.Header.Get("User-Agent")
+			w.Header().Set("Content-Type", "text/html")
+			fmt.Fprint(w, "<html></html>")
+		}))
+		defer ts.Close()
+
+		f := newTestFetcher()
+		f.Fetch(context.Background(), ts.URL)
+
+		if !strings.Contains(gotUA, "SmolTerms") {
+			t.Errorf("User-Agent = %q, want it to contain 'SmolTerms'", gotUA)
+		}
+	})
+
+	t.Run("rejects non-HTML content type", func(t *testing.T) {
+		ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"key":"value"}`)
+		}))
+		defer ts.Close()
+
+		f := newTestFetcher()
+		_, err := f.Fetch(context.Background(), ts.URL)
+		if err == nil {
+			t.Error("expected error for non-HTML content type")
+		}
+		if !strings.Contains(err.Error(), "content type") {
+			t.Errorf("error = %q, want it to mention 'content type'", err)
+		}
+	})
+
+	t.Run("rejects oversized response body", func(t *testing.T) {
+		ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Content-Type", "text/html")
+			// Write more than 1KB.
+			for i := 0; i < 2; i++ {
+				fmt.Fprint(w, strings.Repeat("x", 1024))
+			}
+		}))
+		defer ts.Close()
+
+		f := newTestFetcher()
+		f.MaxBodySize = 1024 // 1KB for testing
+		_, err := f.Fetch(context.Background(), ts.URL)
+		if err == nil {
+			t.Error("expected error for oversized body")
+		}
+		if !strings.Contains(err.Error(), "too large") {
+			t.Errorf("error = %q, want it to mention 'too large'", err)
+		}
+	})
+
+	t.Run("SSRF-blocked URLs return error", func(t *testing.T) {
+		f := NewFetcher() // Use real validator
+		_, err := f.Fetch(context.Background(), "http://127.0.0.1:8080/secret")
+		if err == nil {
+			t.Error("expected error for SSRF-blocked URL")
+		}
+	})
+
+	t.Run("respects context cancellation", func(t *testing.T) {
+		ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			time.Sleep(5 * time.Second)
+			w.Header().Set("Content-Type", "text/html")
+			fmt.Fprint(w, "<html></html>")
+		}))
+		defer ts.Close()
+
+		ctx, cancel := context.WithTimeout(context.Background(), 50*time.Millisecond)
+		defer cancel()
+
+		f := newTestFetcher()
+		_, err := f.Fetch(ctx, ts.URL)
+		if err == nil {
+			t.Error("expected error from context timeout")
+		}
+	})
+
+	t.Run("follows redirects", func(t *testing.T) {
+		mux := http.NewServeMux()
+		mux.HandleFunc("/redirect", func(w http.ResponseWriter, r *http.Request) {
+			http.Redirect(w, r, "/final", http.StatusFound)
+		})
+		mux.HandleFunc("/final", func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Content-Type", "text/html")
+			fmt.Fprint(w, "<html><body>Final page</body></html>")
+		})
+		ts := httptest.NewServer(mux)
+		defer ts.Close()
+
+		f := newTestFetcher()
+		html, err := f.Fetch(context.Background(), ts.URL+"/redirect")
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if !strings.Contains(html, "Final page") {
+			t.Errorf("html = %q, want it to contain 'Final page'", html)
+		}
+	})
+
+	t.Run("unreachable URL returns descriptive error", func(t *testing.T) {
+		// Use a closed server to simulate unreachable URL without network timeout.
+		ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
+		url := ts.URL
+		ts.Close()
+
+		f := newTestFetcher()
+		_, err := f.Fetch(context.Background(), url)
+		if err == nil {
+			t.Error("expected error for unreachable URL")
+		}
+	})
+
+	t.Run("returns error with extension suggestion on failure", func(t *testing.T) {
+		ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusForbidden)
+		}))
+		defer ts.Close()
+
+		f := newTestFetcher()
+		_, err := f.Fetch(context.Background(), ts.URL)
+		if err == nil {
+			t.Error("expected error for 403 response")
+		}
+		if !strings.Contains(err.Error(), "extension") {
+			t.Errorf("error = %q, want it to suggest using the browser extension", err)
+		}
+	})
+}
diff --git a/backend/internal/api/handler.go b/backend/internal/api/handler.go
index 16ef51d..9aecf4a 100644
--- a/backend/internal/api/handler.go
+++ b/backend/internal/api/handler.go
@@ -105,6 +105,74 @@ func NewHealthHandler(cfg *config.Config, qdrantCheck func(ctx context.Context)
 	}
 }
 
+// NewAnalyzeURLHandler returns a handler that accepts a URL, fetches its content
+// server-side, and runs the analysis pipeline on the fetched HTML.
+// If pipeline is nil, the handler returns 503 Service Unavailable.
+// If logger is nil, the default slog logger is used.
+func NewAnalyzeURLHandler(pipeline PipelineRunner, fetcher *Fetcher, logger *slog.Logger) http.HandlerFunc {
+	if logger == nil {
+		logger = slog.Default()
+	}
+	return func(w http.ResponseWriter, r *http.Request) {
+		if pipeline == nil {
+			WriteError(w, http.StatusServiceUnavailable, "Analysis service not configured")
+			return
+		}
+
+		var req types.AnalyzeURLRequest
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			WriteError(w, http.StatusBadRequest, "Invalid JSON in request body")
+			return
+		}
+
+		if req.URL == "" {
+			WriteError(w, http.StatusBadRequest, "The url field is required and must be non-empty")
+			return
+		}
+
+		requestID := RequestIDFromContext(r.Context())
+
+		html, err := fetcher.Fetch(r.Context(), req.URL)
+		if err != nil {
+			logger.Error("failed to fetch url",
+				"url", req.URL,
+				"request_id", requestID,
+				"error", err,
+			)
+			WriteError(w, http.StatusBadGateway, "Failed to fetch the page. Try using the browser extension instead.")
+			return
+		}
+
+		analysisReq := analyzer.AnalysisRequest{
+			URL:  req.URL,
+			HTML: html,
+		}
+
+		result, err := pipeline.Analyze(r.Context(), analysisReq)
+		if err != nil {
+			if errors.Is(err, context.DeadlineExceeded) {
+				logger.Error("analysis timed out",
+					"url", req.URL,
+					"request_id", requestID,
+					"error", err,
+				)
+				WriteError(w, http.StatusGatewayTimeout, "Analysis timed out. Please try again.")
+				return
+			}
+
+			logger.Error("analysis failed",
+				"url", req.URL,
+				"request_id", requestID,
+				"error", err,
+			)
+			WriteError(w, http.StatusBadGateway, "Analysis service temporarily unavailable. Please try again.")
+			return
+		}
+
+		WriteJSON(w, http.StatusOK, result)
+	}
+}
+
 func apiKeyStatus(key string) string {
 	if key != "" {
 		return "configured"
diff --git a/backend/internal/api/handler_test.go b/backend/internal/api/handler_test.go
index c1a996c..802f37c 100644
--- a/backend/internal/api/handler_test.go
+++ b/backend/internal/api/handler_test.go
@@ -411,3 +411,167 @@ func TestHealthHandler(t *testing.T) {
 		}
 	})
 }
+
+func TestAnalyzeURLHandler(t *testing.T) {
+	successResult := &analyzer.AnalysisResult{
+		URL:          "https://example.com/privacy",
+		OverallScore: 7.5,
+		RiskLevel:    analyzer.RiskModerate,
+		Dimensions: map[string]analyzer.DimScore{
+			analyzer.DimDataCollection: {Score: 8.0, Summary: "Good data collection practices"},
+			analyzer.DimDataSharing:    {Score: 7.0, Summary: "Moderate data sharing"},
+			analyzer.DimUserRights:     {Score: 7.5, Summary: "Adequate user rights"},
+			analyzer.DimRetention:      {Score: 7.0, Summary: "Reasonable retention"},
+			analyzer.DimSecurity:       {Score: 8.0, Summary: "Strong security measures"},
+		},
+		KeyConcerns: []string{"Third-party analytics"},
+		Summary:     "Overall moderate privacy practices",
+		Cached:      false,
+		AnalyzedAt:  time.Date(2026, 1, 1, 0, 0, 0, 0, time.UTC),
+	}
+
+	// Create a test server that serves HTML content.
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		fmt.Fprint(w, "<html><body>Privacy Policy content</body></html>")
+	}))
+	defer ts.Close()
+
+	// Create a fetcher that skips SSRF validation for the test server.
+	testFetcher := NewFetcher()
+	testFetcher.ValidateFunc = func(_ string) error { return nil }
+
+	t.Run("valid URL returns 200 with analysis result", func(t *testing.T) {
+		mock := &mockPipeline{result: successResult}
+		handler := NewAnalyzeURLHandler(mock, testFetcher, nil)
+
+		body := fmt.Sprintf(`{"url":%q}`, ts.URL)
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodPost, "/api/v1/analyze-url", strings.NewReader(body))
+
+		handler(w, r)
+
+		if got := w.Code; got != http.StatusOK {
+			t.Errorf("status code = %d, want %d", got, http.StatusOK)
+		}
+
+		var got analyzer.AnalysisResult
+		if err := json.NewDecoder(w.Body).Decode(&got); err != nil {
+			t.Fatalf("failed to decode response body: %v", err)
+		}
+		if got.OverallScore != successResult.OverallScore {
+			t.Errorf("overall_score = %v, want %v", got.OverallScore, successResult.OverallScore)
+		}
+	})
+
+	t.Run("missing URL returns 400", func(t *testing.T) {
+		mock := &mockPipeline{result: successResult}
+		handler := NewAnalyzeURLHandler(mock, testFetcher, nil)
+
+		body := `{"url":""}`
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodPost, "/api/v1/analyze-url", strings.NewReader(body))
+
+		handler(w, r)
+
+		if got := w.Code; got != http.StatusBadRequest {
+			t.Errorf("status code = %d, want %d", got, http.StatusBadRequest)
+		}
+
+		var got map[string]string
+		if err := json.NewDecoder(w.Body).Decode(&got); err != nil {
+			t.Fatalf("failed to decode response body: %v", err)
+		}
+		if !strings.Contains(strings.ToLower(got["error"]), "url") {
+			t.Errorf("error message = %q, want it to mention 'url'", got["error"])
+		}
+	})
+
+	t.Run("malformed JSON returns 400", func(t *testing.T) {
+		mock := &mockPipeline{result: successResult}
+		handler := NewAnalyzeURLHandler(mock, testFetcher, nil)
+
+		body := `{not valid json}`
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodPost, "/api/v1/analyze-url", strings.NewReader(body))
+
+		handler(w, r)
+
+		if got := w.Code; got != http.StatusBadRequest {
+			t.Errorf("status code = %d, want %d", got, http.StatusBadRequest)
+		}
+	})
+
+	t.Run("fetch failure returns error with extension suggestion", func(t *testing.T) {
+		// Create a server that returns 403.
+		forbidden := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusForbidden)
+		}))
+		defer forbidden.Close()
+
+		mock := &mockPipeline{result: successResult}
+		handler := NewAnalyzeURLHandler(mock, testFetcher, nil)
+
+		body := fmt.Sprintf(`{"url":%q}`, forbidden.URL)
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodPost, "/api/v1/analyze-url", strings.NewReader(body))
+
+		handler(w, r)
+
+		if got := w.Code; got != http.StatusBadGateway {
+			t.Errorf("status code = %d, want %d", got, http.StatusBadGateway)
+		}
+
+		var got map[string]string
+		if err := json.NewDecoder(w.Body).Decode(&got); err != nil {
+			t.Fatalf("failed to decode response body: %v", err)
+		}
+		if !strings.Contains(strings.ToLower(got["error"]), "extension") {
+			t.Errorf("error message = %q, want it to suggest using the browser extension", got["error"])
+		}
+	})
+
+	t.Run("pipeline error returns 502", func(t *testing.T) {
+		mock := &mockPipeline{err: errors.New("llm service unavailable")}
+		handler := NewAnalyzeURLHandler(mock, testFetcher, nil)
+
+		body := fmt.Sprintf(`{"url":%q}`, ts.URL)
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodPost, "/api/v1/analyze-url", strings.NewReader(body))
+
+		handler(w, r)
+
+		if got := w.Code; got != http.StatusBadGateway {
+			t.Errorf("status code = %d, want %d", got, http.StatusBadGateway)
+		}
+	})
+
+	t.Run("pipeline timeout returns 504", func(t *testing.T) {
+		mock := &mockPipeline{err: context.DeadlineExceeded}
+		handler := NewAnalyzeURLHandler(mock, testFetcher, nil)
+
+		body := fmt.Sprintf(`{"url":%q}`, ts.URL)
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodPost, "/api/v1/analyze-url", strings.NewReader(body))
+
+		handler(w, r)
+
+		if got := w.Code; got != http.StatusGatewayTimeout {
+			t.Errorf("status code = %d, want %d", got, http.StatusGatewayTimeout)
+		}
+	})
+
+	t.Run("nil pipeline returns 503", func(t *testing.T) {
+		handler := NewAnalyzeURLHandler(nil, testFetcher, nil)
+
+		body := fmt.Sprintf(`{"url":%q}`, ts.URL)
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodPost, "/api/v1/analyze-url", strings.NewReader(body))
+
+		handler(w, r)
+
+		if got := w.Code; got != http.StatusServiceUnavailable {
+			t.Errorf("status code = %d, want %d", got, http.StatusServiceUnavailable)
+		}
+	})
+}
diff --git a/backend/internal/api/middleware.go b/backend/internal/api/middleware.go
index 80f3f6e..fef2bff 100644
--- a/backend/internal/api/middleware.go
+++ b/backend/internal/api/middleware.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"log/slog"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/google/uuid"
@@ -39,19 +40,50 @@ func (sr *statusRecorder) Write(b []byte) (int, error) {
 }
 
 // CORSMiddleware adds CORS headers to all responses and handles OPTIONS preflight requests.
-func CORSMiddleware(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Access-Control-Allow-Origin", "*")
-		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, OPTIONS, PUT, DELETE")
-		w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
+// allowedOrigins is a comma-separated list of allowed origins, or "*" for all.
+func CORSMiddleware(allowedOrigins string) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			origin := r.Header.Get("Origin")
+			if allowedOrigins == "*" || allowedOrigins == "" {
+				w.Header().Set("Access-Control-Allow-Origin", "*")
+			} else if origin != "" && originAllowed(origin, allowedOrigins) {
+				w.Header().Set("Access-Control-Allow-Origin", origin)
+				w.Header().Set("Vary", "Origin")
+			}
+			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, OPTIONS, PUT, DELETE")
+			w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
 
-		if r.Method == http.MethodOptions {
-			w.WriteHeader(http.StatusNoContent)
-			return
+			if r.Method == http.MethodOptions {
+				w.WriteHeader(http.StatusNoContent)
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+// originAllowed checks if origin is in the comma-separated allowedOrigins list.
+func originAllowed(origin, allowedOrigins string) bool {
+	for _, allowed := range splitOrigins(allowedOrigins) {
+		if allowed == origin {
+			return true
 		}
+	}
+	return false
+}
 
-		next.ServeHTTP(w, r)
-	})
+// splitOrigins splits a comma-separated origins string and trims whitespace.
+func splitOrigins(origins string) []string {
+	var result []string
+	for _, o := range strings.Split(origins, ",") {
+		trimmed := strings.TrimSpace(o)
+		if trimmed != "" {
+			result = append(result, trimmed)
+		}
+	}
+	return result
 }
 
 // LoggingMiddleware returns middleware that logs request method, path, status code, and duration.
diff --git a/backend/internal/api/middleware_test.go b/backend/internal/api/middleware_test.go
index e081336..f11bc94 100644
--- a/backend/internal/api/middleware_test.go
+++ b/backend/internal/api/middleware_test.go
@@ -17,8 +17,8 @@ func TestCORSMiddleware(t *testing.T) {
 		w.WriteHeader(http.StatusOK)
 	})
 
-	t.Run("sets CORS headers on regular request", func(t *testing.T) {
-		handler := CORSMiddleware(dummy)
+	t.Run("sets wildcard origin when configured with *", func(t *testing.T) {
+		handler := CORSMiddleware("*")(dummy)
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest(http.MethodGet, "/", nil)
 
@@ -36,7 +36,7 @@ func TestCORSMiddleware(t *testing.T) {
 	})
 
 	t.Run("handles OPTIONS with 204 and no body", func(t *testing.T) {
-		handler := CORSMiddleware(dummy)
+		handler := CORSMiddleware("*")(dummy)
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest(http.MethodOptions, "/", nil)
 
@@ -59,7 +59,7 @@ func TestCORSMiddleware(t *testing.T) {
 			called = true
 			w.WriteHeader(http.StatusOK)
 		})
-		handler := CORSMiddleware(next)
+		handler := CORSMiddleware("*")(next)
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest(http.MethodGet, "/", nil)
 
@@ -75,7 +75,7 @@ func TestCORSMiddleware(t *testing.T) {
 		next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			called = true
 		})
-		handler := CORSMiddleware(next)
+		handler := CORSMiddleware("*")(next)
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest(http.MethodOptions, "/", nil)
 
@@ -85,6 +85,32 @@ func TestCORSMiddleware(t *testing.T) {
 			t.Error("next handler should not be called for OPTIONS")
 		}
 	})
+
+	t.Run("sets matching origin when configured with specific origins", func(t *testing.T) {
+		handler := CORSMiddleware("https://example.com, https://other.com")(dummy)
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodGet, "/", nil)
+		r.Header.Set("Origin", "https://example.com")
+
+		handler.ServeHTTP(w, r)
+
+		if got := w.Header().Get("Access-Control-Allow-Origin"); got != "https://example.com" {
+			t.Errorf("Access-Control-Allow-Origin = %q, want %q", got, "https://example.com")
+		}
+	})
+
+	t.Run("does not set origin for non-matching request", func(t *testing.T) {
+		handler := CORSMiddleware("https://example.com")(dummy)
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodGet, "/", nil)
+		r.Header.Set("Origin", "https://evil.com")
+
+		handler.ServeHTTP(w, r)
+
+		if got := w.Header().Get("Access-Control-Allow-Origin"); got != "" {
+			t.Errorf("Access-Control-Allow-Origin = %q, want empty for non-matching origin", got)
+		}
+	})
 }
 
 func TestLoggingMiddleware(t *testing.T) {
diff --git a/backend/internal/api/ratelimiter.go b/backend/internal/api/ratelimiter.go
new file mode 100644
index 0000000..89690d5
--- /dev/null
+++ b/backend/internal/api/ratelimiter.go
@@ -0,0 +1,89 @@
+package api
+
+import (
+	"fmt"
+	"net"
+	"net/http"
+	"sync"
+	"time"
+)
+
+// RateLimiter implements a sliding-window per-key rate limiter.
+type RateLimiter struct {
+	mu      sync.Mutex
+	limit   int
+	window  time.Duration
+	clients map[string][]time.Time
+}
+
+// NewRateLimiter creates a rate limiter that allows limit requests per window per key.
+func NewRateLimiter(limit int, window time.Duration) *RateLimiter {
+	return &RateLimiter{
+		limit:   limit,
+		window:  window,
+		clients: make(map[string][]time.Time),
+	}
+}
+
+// Allow returns true if the key has not exceeded the rate limit.
+func (rl *RateLimiter) Allow(key string) bool {
+	rl.mu.Lock()
+	defer rl.mu.Unlock()
+
+	now := time.Now()
+	cutoff := now.Add(-rl.window)
+
+	// Prune expired entries.
+	timestamps := rl.clients[key]
+	valid := timestamps[:0]
+	for _, t := range timestamps {
+		if t.After(cutoff) {
+			valid = append(valid, t)
+		}
+	}
+
+	if len(valid) >= rl.limit {
+		rl.clients[key] = valid
+		return false
+	}
+
+	rl.clients[key] = append(valid, now)
+	return true
+}
+
+// RateLimitMiddleware returns middleware that rate-limits requests by client IP.
+// The client IP is extracted from X-Forwarded-For (first value) or RemoteAddr.
+func RateLimitMiddleware(rl *RateLimiter) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			ip := clientIP(r)
+			if !rl.Allow(ip) {
+				w.Header().Set("Retry-After", fmt.Sprintf("%d", int(rl.window.Seconds())))
+				WriteError(w, http.StatusTooManyRequests, "Rate limit exceeded. Please try again later.")
+				return
+			}
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+// clientIP extracts the client IP from X-Forwarded-For or RemoteAddr.
+func clientIP(r *http.Request) string {
+	if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
+		// Take the first IP in the chain (client IP).
+		if i := len(xff); i > 0 {
+			for j := 0; j < len(xff); j++ {
+				if xff[j] == ',' {
+					return xff[:j]
+				}
+			}
+			return xff
+		}
+	}
+
+	host, _, err := net.SplitHostPort(r.RemoteAddr)
+	if err != nil {
+		return r.RemoteAddr
+	}
+	return host
+}
diff --git a/backend/internal/api/ratelimiter_test.go b/backend/internal/api/ratelimiter_test.go
new file mode 100644
index 0000000..abf0deb
--- /dev/null
+++ b/backend/internal/api/ratelimiter_test.go
@@ -0,0 +1,189 @@
+package api
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"sync"
+	"testing"
+	"time"
+)
+
+func TestRateLimiter(t *testing.T) {
+	t.Run("allows requests under limit", func(t *testing.T) {
+		rl := NewRateLimiter(5, time.Minute)
+
+		for i := 0; i < 5; i++ {
+			if !rl.Allow("192.0.2.1") {
+				t.Errorf("request %d should be allowed", i+1)
+			}
+		}
+	})
+
+	t.Run("blocks requests over limit", func(t *testing.T) {
+		rl := NewRateLimiter(3, time.Minute)
+
+		for i := 0; i < 3; i++ {
+			rl.Allow("192.0.2.1")
+		}
+
+		if rl.Allow("192.0.2.1") {
+			t.Error("request over limit should be blocked")
+		}
+	})
+
+	t.Run("tracks different IPs independently", func(t *testing.T) {
+		rl := NewRateLimiter(2, time.Minute)
+
+		rl.Allow("192.0.2.1")
+		rl.Allow("192.0.2.1")
+
+		if rl.Allow("192.0.2.1") {
+			t.Error("IP 1 should be blocked")
+		}
+		if !rl.Allow("192.0.2.2") {
+			t.Error("IP 2 should be allowed")
+		}
+	})
+
+	t.Run("window expires and allows new requests", func(t *testing.T) {
+		rl := NewRateLimiter(1, 50*time.Millisecond)
+
+		if !rl.Allow("192.0.2.1") {
+			t.Error("first request should be allowed")
+		}
+		if rl.Allow("192.0.2.1") {
+			t.Error("second request should be blocked")
+		}
+
+		time.Sleep(60 * time.Millisecond)
+
+		if !rl.Allow("192.0.2.1") {
+			t.Error("request after window expiry should be allowed")
+		}
+	})
+
+	t.Run("concurrent access is safe", func(t *testing.T) {
+		rl := NewRateLimiter(100, time.Minute)
+
+		var wg sync.WaitGroup
+		for i := 0; i < 100; i++ {
+			wg.Add(1)
+			go func() {
+				defer wg.Done()
+				rl.Allow("192.0.2.1")
+			}()
+		}
+		wg.Wait()
+
+		if rl.Allow("192.0.2.1") {
+			t.Error("should be blocked after 100 concurrent requests")
+		}
+	})
+}
+
+func TestRateLimitMiddleware(t *testing.T) {
+	t.Run("returns 429 when rate limited", func(t *testing.T) {
+		rl := NewRateLimiter(1, time.Minute)
+		inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		})
+		handler := RateLimitMiddleware(rl)(inner)
+
+		// First request should succeed.
+		w1 := httptest.NewRecorder()
+		r1 := httptest.NewRequest(http.MethodPost, "/", nil)
+		r1.RemoteAddr = "192.0.2.1:12345"
+		handler.ServeHTTP(w1, r1)
+
+		if w1.Code != http.StatusOK {
+			t.Errorf("first request: status = %d, want %d", w1.Code, http.StatusOK)
+		}
+
+		// Second request should be rate limited.
+		w2 := httptest.NewRecorder()
+		r2 := httptest.NewRequest(http.MethodPost, "/", nil)
+		r2.RemoteAddr = "192.0.2.1:12345"
+		handler.ServeHTTP(w2, r2)
+
+		if w2.Code != http.StatusTooManyRequests {
+			t.Errorf("second request: status = %d, want %d", w2.Code, http.StatusTooManyRequests)
+		}
+	})
+
+	t.Run("sets Retry-After header on 429", func(t *testing.T) {
+		rl := NewRateLimiter(1, time.Minute)
+		inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		})
+		handler := RateLimitMiddleware(rl)(inner)
+
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodPost, "/", nil)
+		r.RemoteAddr = "192.0.2.1:12345"
+		handler.ServeHTTP(w, r)
+
+		// Trigger rate limit.
+		w2 := httptest.NewRecorder()
+		r2 := httptest.NewRequest(http.MethodPost, "/", nil)
+		r2.RemoteAddr = "192.0.2.1:12345"
+		handler.ServeHTTP(w2, r2)
+
+		retryAfter := w2.Header().Get("Retry-After")
+		if retryAfter == "" {
+			t.Error("expected Retry-After header on 429 response")
+		}
+	})
+
+	t.Run("returns JSON error body on 429", func(t *testing.T) {
+		rl := NewRateLimiter(1, time.Minute)
+		inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		})
+		handler := RateLimitMiddleware(rl)(inner)
+
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodPost, "/", nil)
+		r.RemoteAddr = "192.0.2.1:12345"
+		handler.ServeHTTP(w, r)
+
+		w2 := httptest.NewRecorder()
+		r2 := httptest.NewRequest(http.MethodPost, "/", nil)
+		r2.RemoteAddr = "192.0.2.1:12345"
+		handler.ServeHTTP(w2, r2)
+
+		var got map[string]string
+		if err := json.NewDecoder(w2.Body).Decode(&got); err != nil {
+			t.Fatalf("failed to decode response body: %v", err)
+		}
+		if got["error"] == "" {
+			t.Error("expected non-empty error message in 429 response body")
+		}
+	})
+
+	t.Run("extracts IP from X-Forwarded-For header", func(t *testing.T) {
+		rl := NewRateLimiter(1, time.Minute)
+		inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		})
+		handler := RateLimitMiddleware(rl)(inner)
+
+		// First request with X-Forwarded-For.
+		w1 := httptest.NewRecorder()
+		r1 := httptest.NewRequest(http.MethodPost, "/", nil)
+		r1.RemoteAddr = "10.0.0.1:12345"
+		r1.Header.Set("X-Forwarded-For", "203.0.113.1")
+		handler.ServeHTTP(w1, r1)
+
+		// Second request from same forwarded IP.
+		w2 := httptest.NewRecorder()
+		r2 := httptest.NewRequest(http.MethodPost, "/", nil)
+		r2.RemoteAddr = "10.0.0.2:54321"
+		r2.Header.Set("X-Forwarded-For", "203.0.113.1")
+		handler.ServeHTTP(w2, r2)
+
+		if w2.Code != http.StatusTooManyRequests {
+			t.Errorf("second request from same forwarded IP: status = %d, want %d", w2.Code, http.StatusTooManyRequests)
+		}
+	})
+}
diff --git a/backend/internal/api/router.go b/backend/internal/api/router.go
index 96ca0f2..d7d95c2 100644
--- a/backend/internal/api/router.go
+++ b/backend/internal/api/router.go
@@ -17,13 +17,32 @@ const defaultRequestTimeout = 60 * time.Second
 // Middleware order (outermost to innermost): CORS -> Request ID -> Timeout -> Logging -> routes.
 // If logger is nil, the default slog logger is used.
 // If cfg is nil, the health handler uses zero-value config defaults.
-// If pipeline is nil, the analyze endpoint returns 503 Service Unavailable.
+// If pipeline is nil, the analyze endpoints return 503 Service Unavailable.
 // qdrantCheck is an optional function for the health endpoint to verify Qdrant connectivity.
 func NewRouter(logger *slog.Logger, cfg *config.Config, pipeline PipelineRunner, qdrantCheck func(ctx context.Context) error) http.Handler {
+	if cfg == nil {
+		cfg = &config.Config{}
+	}
+
 	mux := http.NewServeMux()
 
+	// Per-IP rate limiter shared across analyze endpoints.
+	rateLimit := cfg.RateLimitRequests
+	if rateLimit == 0 {
+		rateLimit = 5
+	}
+	rateWindow := cfg.RateLimitWindow
+	if rateWindow == 0 {
+		rateWindow = time.Minute
+	}
+	rateLimiter := NewRateLimiter(rateLimit, rateWindow)
+
 	mux.HandleFunc("GET /api/v1/health", NewHealthHandler(cfg, qdrantCheck))
-	mux.HandleFunc("POST /api/v1/analyze", NewAnalyzeHandler(pipeline, logger))
+	mux.Handle("POST /api/v1/analyze", RateLimitMiddleware(rateLimiter)(http.HandlerFunc(NewAnalyzeHandler(pipeline, logger))))
+
+	fetcher := NewFetcher()
+	analyzeURLHandler := NewAnalyzeURLHandler(pipeline, fetcher, logger)
+	mux.Handle("POST /api/v1/analyze-url", RateLimitMiddleware(rateLimiter)(analyzeURLHandler))
 
 	// Catch-all for unmatched routes to return JSON 404.
 	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
@@ -34,7 +53,7 @@ func NewRouter(logger *slog.Logger, cfg *config.Config, pipeline PipelineRunner,
 	handler = LoggingMiddleware(logger)(handler)
 	handler = TimeoutMiddleware(defaultRequestTimeout)(handler)
 	handler = RequestIDMiddleware(handler)
-	handler = CORSMiddleware(handler)
+	handler = CORSMiddleware(cfg.CORSAllowedOrigins)(handler)
 
 	return handler
 }
diff --git a/backend/internal/api/urlvalidator.go b/backend/internal/api/urlvalidator.go
new file mode 100644
index 0000000..e3f856f
--- /dev/null
+++ b/backend/internal/api/urlvalidator.go
@@ -0,0 +1,77 @@
+package api
+
+import (
+	"fmt"
+	"net"
+	"net/url"
+	"strings"
+)
+
+// ValidateURL checks that rawURL is a safe, publicly-accessible HTTP(S) URL.
+// It rejects private IPs, loopback, link-local, and non-HTTP schemes to prevent SSRF.
+func ValidateURL(rawURL string) error {
+	if rawURL == "" {
+		return fmt.Errorf("url is required")
+	}
+
+	parsed, err := url.Parse(rawURL)
+	if err != nil {
+		return fmt.Errorf("invalid url: %w", err)
+	}
+
+	// Only allow http and https schemes.
+	scheme := strings.ToLower(parsed.Scheme)
+	if scheme != "http" && scheme != "https" {
+		return fmt.Errorf("unsupported scheme %q: only http and https are allowed", parsed.Scheme)
+	}
+
+	hostname := parsed.Hostname()
+	if hostname == "" {
+		return fmt.Errorf("url must include a hostname")
+	}
+
+	// Reject localhost by name.
+	if strings.EqualFold(hostname, "localhost") {
+		return fmt.Errorf("localhost is not allowed")
+	}
+
+	// Resolve hostname to IPs and validate each one.
+	ips, err := net.LookupHost(hostname)
+	if err != nil {
+		// If it's already an IP literal, validate directly.
+		ip := net.ParseIP(hostname)
+		if ip == nil {
+			return fmt.Errorf("cannot resolve hostname %q: %w", hostname, err)
+		}
+		return validateIP(ip)
+	}
+
+	for _, ipStr := range ips {
+		ip := net.ParseIP(ipStr)
+		if ip == nil {
+			continue
+		}
+		if err := validateIP(ip); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// validateIP rejects private, loopback, link-local, and unspecified IP addresses.
+func validateIP(ip net.IP) error {
+	if ip.IsLoopback() {
+		return fmt.Errorf("loopback address %s is not allowed", ip)
+	}
+	if ip.IsPrivate() {
+		return fmt.Errorf("private address %s is not allowed", ip)
+	}
+	if ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
+		return fmt.Errorf("link-local address %s is not allowed", ip)
+	}
+	if ip.IsUnspecified() {
+		return fmt.Errorf("unspecified address %s is not allowed", ip)
+	}
+	return nil
+}
diff --git a/backend/internal/api/urlvalidator_test.go b/backend/internal/api/urlvalidator_test.go
new file mode 100644
index 0000000..a2581ce
--- /dev/null
+++ b/backend/internal/api/urlvalidator_test.go
@@ -0,0 +1,119 @@
+package api
+
+import (
+	"testing"
+)
+
+func TestValidateURL(t *testing.T) {
+	t.Run("accepts valid HTTPS URL", func(t *testing.T) {
+		if err := ValidateURL("https://example.com/privacy"); err != nil {
+			t.Errorf("unexpected error for valid HTTPS URL: %v", err)
+		}
+	})
+
+	t.Run("accepts valid HTTP URL", func(t *testing.T) {
+		if err := ValidateURL("http://example.com/privacy"); err != nil {
+			t.Errorf("unexpected error for valid HTTP URL: %v", err)
+		}
+	})
+
+	t.Run("rejects empty URL", func(t *testing.T) {
+		if err := ValidateURL(""); err == nil {
+			t.Error("expected error for empty URL")
+		}
+	})
+
+	t.Run("rejects URL without hostname", func(t *testing.T) {
+		if err := ValidateURL("http:///path"); err == nil {
+			t.Error("expected error for URL without hostname")
+		}
+	})
+
+	t.Run("rejects non-HTTP schemes", func(t *testing.T) {
+		schemes := []string{
+			"file:///etc/passwd",
+			"ftp://example.com/file",
+			"data:text/html,<h1>hi</h1>",
+			"javascript:alert(1)",
+			"gopher://example.com",
+		}
+		for _, u := range schemes {
+			if err := ValidateURL(u); err == nil {
+				t.Errorf("expected error for scheme in %q", u)
+			}
+		}
+	})
+
+	t.Run("rejects private IP 10.x.x.x", func(t *testing.T) {
+		urls := []string{
+			"http://10.0.0.1/page",
+			"http://10.255.255.255/page",
+		}
+		for _, u := range urls {
+			if err := ValidateURL(u); err == nil {
+				t.Errorf("expected error for private IP in %q", u)
+			}
+		}
+	})
+
+	t.Run("rejects private IP 172.16-31.x.x", func(t *testing.T) {
+		urls := []string{
+			"http://172.16.0.1/page",
+			"http://172.31.255.255/page",
+		}
+		for _, u := range urls {
+			if err := ValidateURL(u); err == nil {
+				t.Errorf("expected error for private IP in %q", u)
+			}
+		}
+	})
+
+	t.Run("rejects private IP 192.168.x.x", func(t *testing.T) {
+		if err := ValidateURL("http://192.168.1.1/page"); err == nil {
+			t.Error("expected error for private IP 192.168.x.x")
+		}
+	})
+
+	t.Run("rejects loopback 127.x.x.x", func(t *testing.T) {
+		urls := []string{
+			"http://127.0.0.1/page",
+			"http://127.0.0.2/page",
+		}
+		for _, u := range urls {
+			if err := ValidateURL(u); err == nil {
+				t.Errorf("expected error for loopback in %q", u)
+			}
+		}
+	})
+
+	t.Run("rejects localhost", func(t *testing.T) {
+		if err := ValidateURL("http://localhost:8080/page"); err == nil {
+			t.Error("expected error for localhost")
+		}
+	})
+
+	t.Run("rejects IPv6 loopback", func(t *testing.T) {
+		if err := ValidateURL("http://[::1]/page"); err == nil {
+			t.Error("expected error for IPv6 loopback")
+		}
+	})
+
+	t.Run("rejects link-local 169.254.x.x", func(t *testing.T) {
+		if err := ValidateURL("http://169.254.1.1/page"); err == nil {
+			t.Error("expected error for link-local address")
+		}
+	})
+
+	t.Run("rejects 0.0.0.0", func(t *testing.T) {
+		if err := ValidateURL("http://0.0.0.0/page"); err == nil {
+			t.Error("expected error for 0.0.0.0")
+		}
+	})
+
+	t.Run("accepts public IP", func(t *testing.T) {
+		// 8.8.8.8 is a public DNS IP
+		if err := ValidateURL("http://8.8.8.8/page"); err != nil {
+			t.Errorf("unexpected error for public IP: %v", err)
+		}
+	})
+}
diff --git a/backend/internal/config/config.go b/backend/internal/config/config.go
index 8fd6052..6281783 100644
--- a/backend/internal/config/config.go
+++ b/backend/internal/config/config.go
@@ -3,29 +3,46 @@ package config
 import (
 	"fmt"
 	"os"
+	"strconv"
 	"strings"
+	"time"
 )
 
 // Config holds all configuration values loaded from environment variables.
 type Config struct {
-	Port            string
-	LogLevel        string
-	AnthropicAPIKey string
-	OpenAIAPIKey    string
-	QdrantURL       string
-	CacheDefaultTTL string
+	Port               string
+	LogLevel           string
+	AnthropicAPIKey    string
+	OpenAIAPIKey       string
+	QdrantURL          string
+	CacheDefaultTTL    string
+	CORSAllowedOrigins string
+	RateLimitRequests  int
+	RateLimitWindow    time.Duration
 }
 
 // Load reads configuration from environment variables, applies defaults for
 // optional fields, and returns an error listing any missing required variables.
 func Load() (*Config, error) {
+	rateLimitRequests, err := strconv.Atoi(getEnvOrDefault("RATE_LIMIT_REQUESTS", "5"))
+	if err != nil {
+		return nil, fmt.Errorf("invalid RATE_LIMIT_REQUESTS: %w", err)
+	}
+	rateLimitWindow, err := time.ParseDuration(getEnvOrDefault("RATE_LIMIT_WINDOW", "1m"))
+	if err != nil {
+		return nil, fmt.Errorf("invalid RATE_LIMIT_WINDOW: %w", err)
+	}
+
 	cfg := &Config{
-		Port:            getEnvOrDefault("PORT", "8080"),
-		LogLevel:        getEnvOrDefault("LOG_LEVEL", "info"),
-		AnthropicAPIKey: os.Getenv("ANTHROPIC_API_KEY"),
-		OpenAIAPIKey:    os.Getenv("OPENAI_API_KEY"),
-		QdrantURL:       getEnvOrDefault("QDRANT_URL", "localhost:6334"),
-		CacheDefaultTTL: getEnvOrDefault("CACHE_DEFAULT_TTL", "720h"),
+		Port:               getEnvOrDefault("PORT", "8080"),
+		LogLevel:           getEnvOrDefault("LOG_LEVEL", "info"),
+		AnthropicAPIKey:    os.Getenv("ANTHROPIC_API_KEY"),
+		OpenAIAPIKey:       os.Getenv("OPENAI_API_KEY"),
+		QdrantURL:          getEnvOrDefault("QDRANT_URL", "localhost:6334"),
+		CacheDefaultTTL:    getEnvOrDefault("CACHE_DEFAULT_TTL", "720h"),
+		CORSAllowedOrigins: getEnvOrDefault("CORS_ALLOWED_ORIGINS", "*"),
+		RateLimitRequests:  rateLimitRequests,
+		RateLimitWindow:    rateLimitWindow,
 	}
 
 	var missing []string
diff --git a/backend/internal/types/request.go b/backend/internal/types/request.go
new file mode 100644
index 0000000..5143059
--- /dev/null
+++ b/backend/internal/types/request.go
@@ -0,0 +1,6 @@
+package types
+
+// AnalyzeURLRequest represents the JSON body for the analyze-url endpoint.
+type AnalyzeURLRequest struct {
+	URL string `json:"url"`
+}
diff --git a/website/README.md b/website/README.md
new file mode 100644
index 0000000..f969b05
--- /dev/null
+++ b/website/README.md
@@ -0,0 +1,41 @@
+# SmolTerms Website
+
+Static landing page for the SmolTerms project.
+
+## Local Development
+
+No build step required. Open `index.html` directly in your browser:
+
+```bash
+# From the project root
+open website/index.html
+
+# Or use a local server (optional, for consistent behavior)
+cd website && python3 -m http.server 3000
+```
+
+Then visit `http://localhost:3000`.
+
+## Deployment (GitHub Pages)
+
+1. In the GitHub repository, go to **Settings > Pages**
+2. Set the source to **Deploy from a branch**
+3. Select the branch and set the folder to `/website`
+4. Save — the site will be live at `https://<username>.github.io/smolterms/`
+
+No build step or CI configuration is needed. GitHub Pages serves the static files directly.
+
+## Structure
+
+```
+website/
+├── index.html   # Main page (all sections)
+├── script.js    # Smooth scrolling, mobile nav
+└── README.md    # This file
+```
+
+## Tech
+
+- **Tailwind CSS** via CDN (no build)
+- **Inter** font via Google Fonts
+- Vanilla JavaScript (no framework)
diff --git a/website/index.html b/website/index.html
new file mode 100644
index 0000000..da05854
--- /dev/null
+++ b/website/index.html
@@ -0,0 +1,387 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>SmolTerms - Understand Privacy Policies in Seconds</title>
+  <meta name="description" content="SmolTerms is a browser extension that analyzes privacy policies and gives you clear privacy scores across 5 dimensions. Stop blindly accepting terms you haven't read.">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap" rel="stylesheet">
+  <script src="https://cdn.tailwindcss.com"></script>
+  <script>
+    tailwind.config = {
+      theme: {
+        extend: {
+          fontFamily: {
+            sans: ['Inter', 'system-ui', 'sans-serif'],
+          },
+          colors: {
+            cream: {
+              50: '#fdfcfa',
+              100: '#faf9f6',
+              200: '#f5f3ee',
+              300: '#eae7e0',
+              400: '#d4d0c8',
+              500: '#b8b3a8',
+              600: '#9c9688',
+              700: '#7a7568',
+              800: '#5c584e',
+              900: '#3d3a34',
+            },
+            risk: {
+              low: '#4ade80',
+              moderate: '#facc15',
+              high: '#fb923c',
+              critical: '#f87171',
+            }
+          }
+        }
+      }
+    }
+  </script>
+  <style>
+    @keyframes spin { to { transform: rotate(360deg); } }
+    .spinner { animation: spin 0.8s linear infinite; }
+  </style>
+</head>
+<body class="bg-cream-100 text-cream-900 font-sans antialiased">
+
+  <!-- Navigation -->
+  <nav class="fixed top-0 w-full bg-cream-100/90 backdrop-blur-sm border-b border-cream-300 z-50">
+    <div class="max-w-5xl mx-auto px-6 py-4 flex items-center justify-between">
+      <a href="#" class="text-xl font-bold tracking-tight">SmolTerms</a>
+      <div class="hidden md:flex items-center gap-8 text-sm font-medium text-cream-700">
+        <a href="#features" class="hover:text-cream-900 transition-colors">Features</a>
+        <a href="#how-it-works" class="hover:text-cream-900 transition-colors">How It Works</a>
+        <a href="#scoring" class="hover:text-cream-900 transition-colors">Scoring</a>
+        <a href="#try-it" class="hover:text-cream-900 transition-colors">Try It</a>
+        <a href="#install" class="bg-cream-400 hover:bg-cream-500 text-cream-900 px-4 py-2 rounded-lg transition-colors">Install</a>
+      </div>
+      <button id="mobile-menu-btn" class="md:hidden p-2 text-cream-700" aria-label="Toggle menu">
+        <svg class="w-6 h-6" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+          <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 6h16M4 12h16M4 18h16"/>
+        </svg>
+      </button>
+    </div>
+    <!-- Mobile menu -->
+    <div id="mobile-menu" class="hidden md:hidden border-t border-cream-300 bg-cream-100">
+      <div class="px-6 py-4 flex flex-col gap-4 text-sm font-medium text-cream-700">
+        <a href="#features" class="hover:text-cream-900 transition-colors">Features</a>
+        <a href="#how-it-works" class="hover:text-cream-900 transition-colors">How It Works</a>
+        <a href="#scoring" class="hover:text-cream-900 transition-colors">Scoring</a>
+        <a href="#try-it" class="hover:text-cream-900 transition-colors">Try It</a>
+        <a href="#install" class="bg-cream-400 hover:bg-cream-500 text-cream-900 px-4 py-2 rounded-lg text-center transition-colors">Install</a>
+      </div>
+    </div>
+  </nav>
+
+  <!-- Hero -->
+  <section class="pt-32 pb-20 px-6">
+    <div class="max-w-3xl mx-auto text-center">
+      <h1 class="text-4xl md:text-5xl font-bold tracking-tight leading-tight mb-6">
+        Understand Privacy Policies<br>in Seconds
+      </h1>
+      <p class="text-lg md:text-xl text-cream-600 mb-10 max-w-2xl mx-auto leading-relaxed">
+        SmolTerms is a browser extension that reads the fine print so you don't have to. Get clear privacy scores across 5 dimensions before you click "I agree."
+      </p>
+      <div class="flex flex-col sm:flex-row items-center justify-center gap-4">
+        <a href="#install" class="bg-cream-900 hover:bg-cream-800 text-cream-100 px-8 py-3 rounded-lg font-semibold transition-colors">
+          Get the Extension
+        </a>
+        <a href="#how-it-works" class="bg-cream-300 hover:bg-cream-400 text-cream-900 px-8 py-3 rounded-lg font-semibold transition-colors">
+          See How It Works
+        </a>
+      </div>
+    </div>
+  </section>
+
+  <!-- What It Does / Features -->
+  <section id="features" class="py-20 px-6 bg-cream-50">
+    <div class="max-w-5xl mx-auto">
+      <h2 class="text-3xl font-bold text-center mb-4">What SmolTerms Does</h2>
+      <p class="text-cream-600 text-center max-w-2xl mx-auto mb-14">
+        One click to analyze any privacy policy. SmolTerms breaks down complex legal language into clear, actionable scores.
+      </p>
+      <div class="grid md:grid-cols-3 gap-8">
+        <div class="bg-cream-100 rounded-xl p-6 border border-cream-300">
+          <div class="w-10 h-10 bg-cream-300 rounded-lg flex items-center justify-center mb-4">
+            <svg class="w-5 h-5 text-cream-800" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z"/>
+            </svg>
+          </div>
+          <h3 class="font-semibold text-lg mb-2">Privacy Scoring</h3>
+          <p class="text-cream-600 text-sm leading-relaxed">
+            Get scores across 5 privacy dimensions — data collection, sharing, user rights, retention, and security — rated 1 to 10.
+          </p>
+        </div>
+        <div class="bg-cream-100 rounded-xl p-6 border border-cream-300">
+          <div class="w-10 h-10 bg-cream-300 rounded-lg flex items-center justify-center mb-4">
+            <svg class="w-5 h-5 text-cream-800" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M13 10V3L4 14h7v7l9-11h-7z"/>
+            </svg>
+          </div>
+          <h3 class="font-semibold text-lg mb-2">AI-Powered Analysis</h3>
+          <p class="text-cream-600 text-sm leading-relaxed">
+            Uses a RAG pipeline and LLMs to read and understand privacy policies the way a privacy expert would.
+          </p>
+        </div>
+        <div class="bg-cream-100 rounded-xl p-6 border border-cream-300">
+          <div class="w-10 h-10 bg-cream-300 rounded-lg flex items-center justify-center mb-4">
+            <svg class="w-5 h-5 text-cream-800" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 8v4m0 4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z"/>
+            </svg>
+          </div>
+          <h3 class="font-semibold text-lg mb-2">Key Concerns</h3>
+          <p class="text-cream-600 text-sm leading-relaxed">
+            Highlights the most important privacy concerns so you know exactly what to watch out for.
+          </p>
+        </div>
+      </div>
+    </div>
+  </section>
+
+  <!-- Motivation -->
+  <section class="py-20 px-6">
+    <div class="max-w-3xl mx-auto text-center">
+      <h2 class="text-3xl font-bold mb-6">Why SmolTerms Exists</h2>
+      <p class="text-cream-600 text-lg leading-relaxed mb-6">
+        The average privacy policy is over 4,000 words long. It would take roughly 18 minutes to read — and most people encounter dozens of them every year. Nobody reads them, but everyone agrees to them.
+      </p>
+      <p class="text-cream-600 text-lg leading-relaxed">
+        SmolTerms exists because you deserve to know what you're agreeing to without spending hours reading legal jargon. One click, clear scores, and the key concerns — that's it.
+      </p>
+    </div>
+  </section>
+
+  <!-- How It Works -->
+  <section id="how-it-works" class="py-20 px-6 bg-cream-50">
+    <div class="max-w-5xl mx-auto">
+      <h2 class="text-3xl font-bold text-center mb-14">How It Works</h2>
+      <div class="grid md:grid-cols-3 gap-8">
+        <div class="text-center">
+          <div class="w-14 h-14 bg-cream-300 rounded-full flex items-center justify-center mx-auto mb-5">
+            <span class="text-xl font-bold text-cream-800">1</span>
+          </div>
+          <h3 class="font-semibold text-lg mb-2">Visit a Page</h3>
+          <p class="text-cream-600 text-sm leading-relaxed">
+            Navigate to any website's privacy policy or terms of service page.
+          </p>
+        </div>
+        <div class="text-center">
+          <div class="w-14 h-14 bg-cream-300 rounded-full flex items-center justify-center mx-auto mb-5">
+            <span class="text-xl font-bold text-cream-800">2</span>
+          </div>
+          <h3 class="font-semibold text-lg mb-2">Click the Extension</h3>
+          <p class="text-cream-600 text-sm leading-relaxed">
+            Click the SmolTerms icon in your browser toolbar. The extension extracts the page content and sends it for analysis.
+          </p>
+        </div>
+        <div class="text-center">
+          <div class="w-14 h-14 bg-cream-300 rounded-full flex items-center justify-center mx-auto mb-5">
+            <span class="text-xl font-bold text-cream-800">3</span>
+          </div>
+          <h3 class="font-semibold text-lg mb-2">Get Your Scores</h3>
+          <p class="text-cream-600 text-sm leading-relaxed">
+            Within seconds, see privacy scores across 5 dimensions, key concerns, and an overall risk level.
+          </p>
+        </div>
+      </div>
+    </div>
+  </section>
+
+  <!-- Install -->
+  <section id="install" class="py-20 px-6">
+    <div class="max-w-3xl mx-auto text-center">
+      <h2 class="text-3xl font-bold mb-4">Get SmolTerms</h2>
+      <p class="text-cream-600 mb-10">Available for Firefox and Chrome. Free and open source.</p>
+      <div class="flex flex-col sm:flex-row items-center justify-center gap-4">
+        <a href="#" class="flex items-center gap-3 bg-cream-400 hover:bg-cream-500 text-cream-900 px-8 py-4 rounded-xl font-semibold transition-colors w-full sm:w-auto justify-center">
+          <svg class="w-6 h-6" viewBox="0 0 24 24" fill="currentColor">
+            <path d="M12 0C5.373 0 0 5.373 0 12s5.373 12 12 12 12-5.373 12-12S18.627 0 12 0zm5.894 8.221l-1.97 9.28c-.145.658-.537.818-1.084.508l-3-2.21-1.446 1.394c-.14.14-.357.28-.732.28l.228-3.132 5.62-5.08c.27-.228-.054-.354-.42-.144l-6.946 4.374-2.994-.934c-.654-.196-.662-.654.144-.97l11.66-4.494c.538-.196 1.006.128.84.928z"/>
+          </svg>
+          Add to Firefox
+        </a>
+        <a href="#" class="flex items-center gap-3 bg-cream-400 hover:bg-cream-500 text-cream-900 px-8 py-4 rounded-xl font-semibold transition-colors w-full sm:w-auto justify-center">
+          <svg class="w-6 h-6" viewBox="0 0 24 24" fill="currentColor">
+            <path d="M12 0C8.21 0 4.831 1.757 2.632 4.501l3.953 6.848A5.454 5.454 0 0 1 12 6.545h10.691A12 12 0 0 0 12 0zM1.931 5.47A11.943 11.943 0 0 0 0 12c0 6.012 4.42 10.991 10.189 11.864l3.953-6.847a5.45 5.45 0 0 1-6.865-2.29zm13.342 2.166L19.227 14.484A11.943 11.943 0 0 0 24 12c0-1.529-.287-2.992-.809-4.364zM12 16.364a4.364 4.364 0 1 0 0-8.728 4.364 4.364 0 0 0 0 8.728z"/>
+          </svg>
+          Add to Chrome
+        </a>
+      </div>
+      <p class="text-cream-500 text-sm mt-6">Extension store links will be available once published.</p>
+    </div>
+  </section>
+
+  <!-- Scoring -->
+  <section id="scoring" class="py-20 px-6 bg-cream-50">
+    <div class="max-w-5xl mx-auto">
+      <h2 class="text-3xl font-bold text-center mb-4">Privacy Scoring System</h2>
+      <p class="text-cream-600 text-center max-w-2xl mx-auto mb-14">
+        Every policy is scored across 5 dimensions on a scale of 1 to 10, where higher is better for your privacy.
+      </p>
+
+      <!-- Dimensions -->
+      <div class="grid sm:grid-cols-2 lg:grid-cols-3 gap-6 mb-16">
+        <div class="bg-cream-100 rounded-xl p-5 border border-cream-300">
+          <h3 class="font-semibold mb-1">Data Collection</h3>
+          <p class="text-cream-600 text-sm leading-relaxed">How much personal data is collected, what types, and whether collection is proportionate to the service.</p>
+        </div>
+        <div class="bg-cream-100 rounded-xl p-5 border border-cream-300">
+          <h3 class="font-semibold mb-1">Data Sharing</h3>
+          <p class="text-cream-600 text-sm leading-relaxed">Whether data is shared or sold to third parties and under what conditions.</p>
+        </div>
+        <div class="bg-cream-100 rounded-xl p-5 border border-cream-300">
+          <h3 class="font-semibold mb-1">User Rights</h3>
+          <p class="text-cream-600 text-sm leading-relaxed">Your ability to access, delete, and export your data, plus opt-out mechanisms.</p>
+        </div>
+        <div class="bg-cream-100 rounded-xl p-5 border border-cream-300">
+          <h3 class="font-semibold mb-1">Retention</h3>
+          <p class="text-cream-600 text-sm leading-relaxed">How long your data is kept and whether retention periods are clearly defined.</p>
+        </div>
+        <div class="bg-cream-100 rounded-xl p-5 border border-cream-300">
+          <h3 class="font-semibold mb-1">Security</h3>
+          <p class="text-cream-600 text-sm leading-relaxed">Security measures mentioned including encryption, breach notification policies, and data protection practices.</p>
+        </div>
+      </div>
+
+      <!-- Risk Levels -->
+      <h3 class="text-xl font-bold text-center mb-8">Risk Levels</h3>
+      <div class="grid sm:grid-cols-2 lg:grid-cols-4 gap-4 max-w-3xl mx-auto">
+        <div class="flex items-center gap-3 bg-cream-100 rounded-lg p-4 border border-cream-300">
+          <div class="w-4 h-4 rounded-full bg-risk-low flex-shrink-0"></div>
+          <div>
+            <span class="font-semibold text-sm">Low Risk</span>
+            <span class="text-cream-500 text-sm block">8.0 – 10.0</span>
+          </div>
+        </div>
+        <div class="flex items-center gap-3 bg-cream-100 rounded-lg p-4 border border-cream-300">
+          <div class="w-4 h-4 rounded-full bg-risk-moderate flex-shrink-0"></div>
+          <div>
+            <span class="font-semibold text-sm">Moderate</span>
+            <span class="text-cream-500 text-sm block">5.0 – 7.9</span>
+          </div>
+        </div>
+        <div class="flex items-center gap-3 bg-cream-100 rounded-lg p-4 border border-cream-300">
+          <div class="w-4 h-4 rounded-full bg-risk-high flex-shrink-0"></div>
+          <div>
+            <span class="font-semibold text-sm">High Risk</span>
+            <span class="text-cream-500 text-sm block">3.0 – 4.9</span>
+          </div>
+        </div>
+        <div class="flex items-center gap-3 bg-cream-100 rounded-lg p-4 border border-cream-300">
+          <div class="w-4 h-4 rounded-full bg-risk-critical flex-shrink-0"></div>
+          <div>
+            <span class="font-semibold text-sm">Critical</span>
+            <span class="text-cream-500 text-sm block">1.0 – 2.9</span>
+          </div>
+        </div>
+      </div>
+    </div>
+  </section>
+
+  <!-- Try It - URL Analysis -->
+  <section id="try-it" class="py-20 px-6">
+    <div class="max-w-3xl mx-auto text-center">
+      <h2 class="text-3xl font-bold mb-4">Analyze a Privacy Policy</h2>
+      <p class="text-cream-600 mb-8">
+        Don't want to install the extension? Paste a privacy policy URL below and get the same analysis.
+      </p>
+
+      <!-- URL Form -->
+      <form id="analyze-form" class="flex flex-col sm:flex-row gap-3 mb-4">
+        <input
+          id="url-input"
+          type="url"
+          placeholder="Paste a privacy policy URL..."
+          class="flex-1 px-4 py-3 rounded-lg border border-cream-300 bg-cream-50 text-cream-900 placeholder-cream-500 focus:outline-none focus:ring-2 focus:ring-cream-400 focus:border-transparent text-sm"
+          required
+        >
+        <button
+          id="analyze-btn"
+          type="submit"
+          class="bg-cream-900 hover:bg-cream-800 text-cream-100 px-6 py-3 rounded-lg font-semibold transition-colors text-sm whitespace-nowrap disabled:opacity-50 disabled:cursor-not-allowed"
+        >
+          Analyze
+        </button>
+      </form>
+
+      <!-- Validation Message -->
+      <p id="validation-msg" class="text-red-500 text-sm mb-4 hidden"></p>
+
+      <!-- Loading State -->
+      <div id="loading-state" class="hidden py-10">
+        <div class="w-8 h-8 border-3 border-cream-300 border-t-cream-700 rounded-full spinner mx-auto mb-4" style="border-width: 3px;"></div>
+        <p class="text-cream-600 text-sm">Analyzing privacy policy... This may take 10–30 seconds.</p>
+      </div>
+
+      <!-- Error State -->
+      <div id="error-state" class="hidden text-left">
+        <div class="bg-red-50 border border-red-200 rounded-xl p-6">
+          <p id="error-message" class="text-red-700 text-sm font-medium mb-2"></p>
+          <p id="error-suggestion" class="text-red-600 text-sm hidden"></p>
+        </div>
+      </div>
+
+      <!-- Results -->
+      <div id="results-state" class="hidden text-left">
+        <!-- Overall Score -->
+        <div id="results-header" class="bg-cream-100 rounded-xl p-6 border border-cream-300 mb-6">
+          <div class="flex flex-col sm:flex-row items-center justify-between gap-4">
+            <div class="text-center sm:text-left">
+              <p class="text-cream-600 text-sm mb-1">Overall Privacy Score</p>
+              <div class="flex items-center gap-3">
+                <span id="overall-score" class="text-4xl font-bold"></span>
+                <span class="text-cream-500 text-lg font-medium">/ 10</span>
+              </div>
+            </div>
+            <div class="flex items-center gap-2">
+              <span id="risk-badge" class="px-4 py-1.5 rounded-full text-sm font-semibold"></span>
+              <span id="cached-badge" class="px-3 py-1 rounded-full text-xs font-medium bg-cream-300 text-cream-700 hidden">Cached</span>
+            </div>
+          </div>
+        </div>
+
+        <!-- Dimension Scores -->
+        <div id="dimension-scores" class="grid sm:grid-cols-2 gap-4 mb-6"></div>
+
+        <!-- Summary -->
+        <div id="results-summary" class="bg-cream-100 rounded-xl p-6 border border-cream-300 mb-6">
+          <h3 class="font-semibold mb-2">Summary</h3>
+          <p id="summary-text" class="text-cream-600 text-sm leading-relaxed"></p>
+        </div>
+
+        <!-- Key Concerns -->
+        <div id="results-concerns" class="bg-cream-100 rounded-xl p-6 border border-cream-300 mb-6">
+          <h3 class="font-semibold mb-3">Key Concerns</h3>
+          <ul id="concerns-list" class="space-y-2"></ul>
+        </div>
+
+        <!-- Analyze Another -->
+        <div class="text-center">
+          <button id="analyze-another-btn" class="text-cream-600 hover:text-cream-900 text-sm font-medium underline transition-colors">
+            Analyze another URL
+          </button>
+        </div>
+      </div>
+    </div>
+  </section>
+
+  <!-- Footer -->
+  <footer class="py-12 px-6 border-t border-cream-300 bg-cream-50">
+    <div class="max-w-5xl mx-auto flex flex-col md:flex-row items-center justify-between gap-6">
+      <div class="flex items-center gap-6">
+        <span class="font-bold text-lg">SmolTerms</span>
+        <a href="https://github.com/Parth576/smolterms" target="_blank" rel="noopener noreferrer" class="text-cream-600 hover:text-cream-900 text-sm transition-colors">
+          GitHub
+        </a>
+      </div>
+      <p class="text-cream-500 text-sm">
+        Open source under the MIT License.
+      </p>
+    </div>
+  </footer>
+
+  <script src="script.js"></script>
+</body>
+</html>
diff --git a/website/script.js b/website/script.js
new file mode 100644
index 0000000..a280d85
--- /dev/null
+++ b/website/script.js
@@ -0,0 +1,315 @@
+// Mobile menu toggle
+const menuBtn = document.getElementById('mobile-menu-btn');
+const mobileMenu = document.getElementById('mobile-menu');
+
+menuBtn.addEventListener('click', () => {
+  mobileMenu.classList.toggle('hidden');
+});
+
+// Close mobile menu when a link is clicked
+mobileMenu.querySelectorAll('a').forEach(link => {
+  link.addEventListener('click', () => {
+    mobileMenu.classList.add('hidden');
+  });
+});
+
+// Smooth scrolling for anchor links
+document.querySelectorAll('a[href^="#"]').forEach(anchor => {
+  anchor.addEventListener('click', (e) => {
+    const targetId = anchor.getAttribute('href');
+    if (targetId === '#') return;
+
+    const target = document.querySelector(targetId);
+    if (target) {
+      e.preventDefault();
+      target.scrollIntoView({ behavior: 'smooth', block: 'start' });
+    }
+  });
+});
+
+// ---------------------------------------------------------------------------
+// URL Analysis Feature
+// ---------------------------------------------------------------------------
+
+const API_BASE = 'http://localhost:8080';
+
+// DOM references
+const analyzeForm = document.getElementById('analyze-form');
+const urlInput = document.getElementById('url-input');
+const analyzeBtn = document.getElementById('analyze-btn');
+const validationMsg = document.getElementById('validation-msg');
+const loadingState = document.getElementById('loading-state');
+const errorState = document.getElementById('error-state');
+const errorMessage = document.getElementById('error-message');
+const errorSuggestion = document.getElementById('error-suggestion');
+const resultsState = document.getElementById('results-state');
+const overallScore = document.getElementById('overall-score');
+const riskBadge = document.getElementById('risk-badge');
+const cachedBadge = document.getElementById('cached-badge');
+const dimensionScores = document.getElementById('dimension-scores');
+const summaryText = document.getElementById('summary-text');
+const concernsList = document.getElementById('concerns-list');
+const analyzeAnotherBtn = document.getElementById('analyze-another-btn');
+
+// Dimension key -> display label
+const DIMENSION_LABELS = {
+  data_collection: 'Data Collection',
+  data_sharing: 'Data Sharing',
+  user_rights: 'User Rights',
+  retention: 'Retention',
+  security: 'Security',
+};
+
+// Risk level -> Tailwind classes for the badge
+const RISK_STYLES = {
+  low: { bg: 'bg-risk-low', text: 'text-green-900', label: 'Low Risk' },
+  moderate: { bg: 'bg-risk-moderate', text: 'text-yellow-900', label: 'Moderate Risk' },
+  high: { bg: 'bg-risk-high', text: 'text-orange-900', label: 'High Risk' },
+  critical: { bg: 'bg-risk-critical', text: 'text-red-900', label: 'Critical Risk' },
+};
+
+// Score -> Tailwind text color for dimension score numbers
+function getScoreColor(score) {
+  if (score >= 8) return 'text-green-600';
+  if (score >= 5) return 'text-yellow-600';
+  if (score >= 3) return 'text-orange-500';
+  return 'text-red-500';
+}
+
+// ---------------------------------------------------------------------------
+// State management
+// ---------------------------------------------------------------------------
+
+function resetState() {
+  validationMsg.classList.add('hidden');
+  validationMsg.textContent = '';
+  loadingState.classList.add('hidden');
+  errorState.classList.add('hidden');
+  resultsState.classList.add('hidden');
+  errorSuggestion.classList.add('hidden');
+}
+
+function showLoading() {
+  resetState();
+  loadingState.classList.remove('hidden');
+  analyzeBtn.disabled = true;
+  analyzeBtn.textContent = 'Analyzing...';
+}
+
+function hideLoading() {
+  loadingState.classList.add('hidden');
+  analyzeBtn.disabled = false;
+  analyzeBtn.textContent = 'Analyze';
+}
+
+function showValidation(message) {
+  resetState();
+  validationMsg.textContent = message;
+  validationMsg.classList.remove('hidden');
+}
+
+function showError(message, suggestion) {
+  hideLoading();
+  errorState.classList.remove('hidden');
+  errorMessage.textContent = message;
+  if (suggestion) {
+    errorSuggestion.textContent = suggestion;
+    errorSuggestion.classList.remove('hidden');
+  }
+  scrollToElement(errorState);
+}
+
+function scrollToElement(el) {
+  // Small delay to ensure DOM is painted before scrolling
+  setTimeout(() => {
+    el.scrollIntoView({ behavior: 'smooth', block: 'start' });
+  }, 100);
+}
+
+// ---------------------------------------------------------------------------
+// URL validation
+// ---------------------------------------------------------------------------
+
+function isValidURL(str) {
+  try {
+    const url = new URL(str);
+    return url.protocol === 'http:' || url.protocol === 'https:';
+  } catch {
+    return false;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// API call
+// ---------------------------------------------------------------------------
+
+async function analyzeURL(url) {
+  const response = await fetch(`${API_BASE}/api/v1/analyze-url`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ url }),
+  });
+
+  const data = await response.json();
+
+  if (!response.ok) {
+    const error = new Error(data.error || 'An unexpected error occurred');
+    error.status = response.status;
+    throw error;
+  }
+
+  return data;
+}
+
+// ---------------------------------------------------------------------------
+// Results rendering
+// ---------------------------------------------------------------------------
+
+function renderResults(data) {
+  hideLoading();
+
+  // Handle not_policy as a special case
+  if (data.risk_level === 'not_policy') {
+    showError(
+      "This page doesn't appear to be a privacy policy.",
+      'Try submitting a direct link to a privacy policy or terms of service page.'
+    );
+    return;
+  }
+
+  // Overall score
+  overallScore.textContent = data.overall_score.toFixed(1);
+  overallScore.className = `text-4xl font-bold ${getScoreColor(data.overall_score)}`;
+
+  // Risk badge
+  const risk = RISK_STYLES[data.risk_level] || RISK_STYLES.moderate;
+  riskBadge.textContent = risk.label;
+  riskBadge.className = `px-4 py-1.5 rounded-full text-sm font-semibold ${risk.bg} ${risk.text}`;
+
+  // Cached badge
+  if (data.cached) {
+    cachedBadge.classList.remove('hidden');
+  } else {
+    cachedBadge.classList.add('hidden');
+  }
+
+  // Dimension scores
+  dimensionScores.innerHTML = '';
+  const dimensionOrder = ['data_collection', 'data_sharing', 'user_rights', 'retention', 'security'];
+  for (const key of dimensionOrder) {
+    const dim = data.dimensions[key];
+    if (!dim) continue;
+
+    const card = document.createElement('div');
+    card.className = 'bg-cream-100 rounded-xl p-5 border border-cream-300 text-left';
+    card.innerHTML = `
+      <div class="flex items-center justify-between mb-2">
+        <h4 class="font-semibold text-sm">${DIMENSION_LABELS[key] || key}</h4>
+        <span class="text-lg font-bold ${getScoreColor(dim.score)}">${dim.score.toFixed(1)}</span>
+      </div>
+      <p class="text-cream-600 text-xs leading-relaxed">${escapeHTML(dim.summary)}</p>
+    `;
+    dimensionScores.appendChild(card);
+  }
+
+  // Summary
+  summaryText.textContent = data.summary || '';
+
+  // Key concerns
+  concernsList.innerHTML = '';
+  if (data.key_concerns && data.key_concerns.length > 0) {
+    for (const concern of data.key_concerns) {
+      const li = document.createElement('li');
+      li.className = 'flex items-start gap-2 text-sm text-cream-700';
+      li.innerHTML = `
+        <svg class="w-4 h-4 text-risk-high flex-shrink-0 mt-0.5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+          <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z"/>
+        </svg>
+        <span>${escapeHTML(concern)}</span>
+      `;
+      concernsList.appendChild(li);
+    }
+  } else {
+    concernsList.innerHTML = '<li class="text-sm text-cream-500">No major concerns identified.</li>';
+  }
+
+  resultsState.classList.remove('hidden');
+  scrollToElement(document.getElementById('results-header'));
+}
+
+// Escape HTML to prevent XSS from API response content
+function escapeHTML(str) {
+  const div = document.createElement('div');
+  div.textContent = str;
+  return div.innerHTML;
+}
+
+// ---------------------------------------------------------------------------
+// Error handling
+// ---------------------------------------------------------------------------
+
+function handleError(err) {
+  if (err.status === 429) {
+    showError('Too many requests. Please wait a moment and try again.');
+    return;
+  }
+
+  if (err.status === 502) {
+    showError(
+      err.message || 'Failed to fetch the page for analysis.',
+      'Some websites block automated access. Try using the SmolTerms browser extension instead for full compatibility.'
+    );
+    return;
+  }
+
+  if (err.status === 504) {
+    showError('Analysis timed out. The page may be too large. Please try again.');
+    return;
+  }
+
+  // Network error (no status) or other unexpected errors
+  if (!err.status) {
+    showError('Could not reach the analysis server. Please check that the backend is running and try again.');
+    return;
+  }
+
+  // Generic error with backend message
+  showError(err.message || 'An unexpected error occurred. Please try again.');
+}
+
+// ---------------------------------------------------------------------------
+// Form submission
+// ---------------------------------------------------------------------------
+
+analyzeForm.addEventListener('submit', async (e) => {
+  e.preventDefault();
+
+  const url = urlInput.value.trim();
+
+  if (!url) {
+    showValidation('Please enter a URL.');
+    return;
+  }
+
+  if (!isValidURL(url)) {
+    showValidation('Please enter a valid URL (e.g., https://example.com/privacy).');
+    return;
+  }
+
+  showLoading();
+
+  try {
+    const result = await analyzeURL(url);
+    renderResults(result);
+  } catch (err) {
+    handleError(err);
+  }
+});
+
+// "Analyze another" resets the form to initial state
+analyzeAnotherBtn.addEventListener('click', () => {
+  resetState();
+  urlInput.value = '';
+  urlInput.focus();
+  document.getElementById('try-it').scrollIntoView({ behavior: 'smooth', block: 'start' });
+});