A method and apparatus for look-ahead security. Within a document (e.g., a web page, a word processing document, a list of electronic mail messages), a link to other content or another document is selected and the content is identified before a user clicks on the link to open the content. The content is placed into a safe cache that prevents the content from adversely affecting the user's computing device. The content is scanned and/or its behavior is analyzed to detect any security threats or undesirable content (e.g., viruses, worms, scripts, adware, spyware, pornography). Results of the analysis may be collected at a central server. The link or an associated indicator may be configured to indicate whether a threat is present; more information may be provided as desired. A user may be provided with various options to ignore a threat, disable the link, etc.