diff --git a/lookyloo/lookyloo.py b/lookyloo/lookyloo.py
index ea5d9668..6507fd05 100644
--- a/lookyloo/lookyloo.py
+++ b/lookyloo/lookyloo.py
@@ -168,7 +168,16 @@ class Indexing():
             return
         self.redis.sadd(f'bh|{urlnode.body_hash}|legitimate', urlnode.hostname)
 
+    def malicious_node(self, urlnode: URLNode) -> None:
+        if urlnode.empty_response:
+            return
+        self.redis.sadd('bh|malicious', urlnode.body_hash)
+
+    # Query DB
+
     def is_legitimate(self, urlnode: URLNode) -> Optional[bool]:
+        if urlnode.empty_response:
+            return None
         hostnames = self.redis.smembers(f'bh|{urlnode.body_hash}|legitimate')
         if hostnames:
             if urlnode.hostname in hostnames:
@@ -178,11 +187,6 @@ class Indexing():
             return False
         return None  # Unknown
 
-    def malicious_node(self, urlnode: URLNode) -> None:
-        if urlnode.empty_response:
-            return None
-        self.redis.sadd('bh|malicious', urlnode.body_hash)
-
     def is_malicious(self, urlnode: URLNode) -> Optional[bool]:
         if urlnode.empty_response:
             return None
@@ -195,6 +199,19 @@ class Indexing():
             return True
         return None
 
+    def legitimacy_details(self, urlnode: URLNode) -> Optional[Tuple[bool, Optional[List[str]]]]:
+        if urlnode.empty_response:
+            return None
+        hostnames = self.redis.smembers(f'bh|{urlnode.body_hash}|legitimate')
+        if hostnames:
+            if urlnode.hostname in hostnames:
+                return (True, hostnames)
+            else:
+                return (False, hostnames)
+        elif self.redis.sismember('bh|malicious', urlnode.body_hash):
+            return False
+        return None
+
 
 class Lookyloo():
 
@@ -851,7 +868,8 @@ class Lookyloo():
             to_append: Dict[str, Any] = {
                 'encrypted': url.name.startswith('https'),
                 'url_path': url.name.split('/', 3)[-1],
-                'url_object': url
+                'url_object': url,
+                'legitimacy': self.indexing.legitimacy_details(url)
             }
 
             if not url.empty_response:
diff --git a/website/web/templates/hostname_popup.html b/website/web/templates/hostname_popup.html
index c3e836ee..d2344588 100644
--- a/website/web/templates/hostname_popup.html
+++ b/website/web/templates/hostname_popup.html
@@ -126,11 +126,29 @@
           </p>
           {{ popup_icons(keys_response, url['url_object'], tree_uuid) }}
 
+          <div>
           {% if url['url_object'].empty_response %}
           Empty body.
           {% else %}
-          Body size: {{ sizeof_fmt(url['url_object'].body.getbuffer().nbytes) }}
+            {% if url['legitimacy'] and url['legitimacy'][0] == False %}
+              <img src="/static/bomb.svg" title="Known malicious content in the response." width="21" height="21"/>
+            {%endif%}
+            Body size: {{ sizeof_fmt(url['url_object'].body.getbuffer().nbytes) }}
+            {% if url['legitimacy'] %}
+              {% if url['legitimacy'][0] %}
+                - This file is known <b>legitimate</b>.
+              {% elif url['legitimacy'][0] == False %}
+                {% if url['legitimacy'][1] is iterable %}
+                  </br>
+                  The response sould be considered as <b>phishing</b> unless it is served by <b>the following domain(s)</b>: {{ ', '.join(url['legitimacy'][1]) }}
+                  </br>
+                {% else %}
+                  - The response is known <b>malicious</b>.
+                {%endif%}
+              {%endif%}
+            {%endif%}
           {%endif%}
+          </div>
 
           {% if url['sane_js'] %}
             {# Result from SaneJS for the response #}