🔍 What CMS / Tech Detector

Paste any website URL. Get its CMS, framework, hosting, CDN, analytics, DNS, security headers, TLS certificate, and SEO metadata — all in one report.

Try:
wordpress.org shopify.com vercel.com ghost.org stripe.com webflow.com
⚙️
Analyzing website…
Fetching HTML, running detection rules, resolving DNS, checking TLS.
Detection rules powered by the Wappalyzer OSS community fork (MIT license) + our own overlay for post-2022 tech.
Copied

About What CMS / Tech Detector

What CMS / Tech Detector identifies the technology stack behind any website in seconds — CMS platform, JavaScript framework, CSS library, web server, hosting provider, CDN, analytics services, tag manager, payment gateway, chat widget, DNS provider, email provider, and TLS certificate issuer. Feed it a URL, get a full report.

The detection engine combines the Wappalyzer open-source rule bundle (7,500+ technology signatures, MIT-licensed community fork) with our own hand-curated overlay for post-2022 tech like Astro, Bun, HTMX, Remix, Nuxt 3, Alpine, Tailwind, PostHog, Plausible, Cookiebot, and Turnstile. On top of that, we run native DNS lookups, IP geolocation, TLS certificate inspection, and security-header scoring for a full-stack profile.

Server-side by design. Because the browser's CORS policy blocks cross-origin fetches, the analysis runs on our server. Nothing about your visit is tied to the target site — the target only sees a request from our IP, not yours.

How to use

1

Paste a URL

Full https://… or bare example.com both work.

2

Click Analyze

We fetch the homepage, run 7,500+ detection rules, resolve DNS, check TLS, score security headers. Usually 2–5 seconds.

3

Read the cards

Summary at the top; expandable cards for CMS, frameworks, analytics, hosting, DNS, security, SEO.

4

Copy or share

Copy the full report as JSON or Markdown. Or share the URL to send someone the same analysis.

Key Features

7,500+ technology signatures

The Wappalyzer OSS community fork ships ~7,500 signatures covering CMSes (WordPress, Drupal, Joomla, Ghost, Shopify, Squarespace), frameworks (React, Vue, Angular, Svelte, Alpine, HTMX), CSS libraries (Bootstrap, Tailwind), analytics (GA, Matomo, Plausible, Fathom, PostHog), payment (Stripe, PayPal, Klarna), chat (Intercom, Crisp, Zendesk), CDN (Cloudflare, Fastly, Bunny), hosting (Vercel, Netlify, WP Engine, Kinsta), and hundreds more.

Post-2022 tech overlay

Wappalyzer's OSS snapshot froze in 2022. We add 50 hand-curated rules for the modern stack: Astro, Remix, SvelteKit, Qwik, Solid, Fresh, Nuxt 3, HTMX current, Tailwind 4, Vite, Alpine, PostHog, Plausible, Fathom, Sentry, Cookiebot, OneTrust, Turnstile, Payload CMS, Directus, Strapi, Sanity, Webflow, Framer, Wix, Shopify Hydrogen, and more.

DNS deep-dive

A, AAAA, MX, NS, TXT, CAA records — with derived intelligence: identified email provider (Google Workspace / Microsoft 365 / Zoho / Fastmail…), DNS provider (Cloudflare / Route 53 / GoDaddy…), and TXT verification tokens (Google Search Console, Facebook, Stripe, Microsoft, Apple Business, Pinterest…).

IP geolocation + hosting ISP

Resolves the target IP, then looks up country, region, ISP, and ASN via ip-api.com. Tells you if it's on AWS, Google Cloud, Cloudflare, DigitalOcean, Hetzner, or a regional hoster.

TLS certificate inspection

Reads the live TLS cert — issuer (Let's Encrypt, DigiCert, Google Trust Services, Sectigo), subject CN, validity dates, subject alternative names.

Security-header scoring

A-through-F grade based on HTTPS, HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy presence. Same pattern as SecurityHeaders.com.

SEO / meta breakdown

Title, meta description, canonical, viewport, robots, language, Open Graph properties, Twitter Cards, JSON-LD types detected, hreflang alternates.

24-hour result cache

Repeated scans of the same URL come back instantly from cache. Force a fresh scan any time with the "Force re-scan" toggle.

Common Use Cases

  • "What's this cool site built with?" — the classic curiosity scan
  • Competitive research — see the stack your rival is running
  • Vendor selection — check that a candidate is on a serious hosting stack
  • Due diligence for an acquisition or partnership
  • Sales prospecting — "who's still on WordPress and could use us instead"
  • SEO audit — canonical, robots, OG, JSON-LD all in one view
  • Security audit — quick pass/fail on HTTPS + HSTS + CSP
  • DNS/email troubleshooting — see MX, SPF, verification tokens at a glance
  • Learning what modern stacks look like — inspect prominent sites in your space
  • Migrating a legacy site — identify every third-party service before switching

Security & Privacy

  • Server-side but privacy-safe: the target site only sees a request from our IP, not yours. We don't record what you scan.
  • SSRF-hardened: we refuse to fetch private IP ranges, loopback, or link-local addresses — no internal-network probing.
  • Response cap: 2 MB max response body, 15 s timeout, 5 redirect max. Protects against traps.
  • Rate limits: 20 scans per hour per IP. Prevents abuse without hurting genuine use.
  • No script execution: we don't run JavaScript from the target site. Detection is by pattern matching on the response, not by executing potentially malicious code.
  • Result caching: we cache results per URL for 24 hours to reduce redundant fetches. Force a fresh scan any time.
  • Attribution: Wappalyzer rules used under MIT license — credit at the bottom of the tool.

Frequently Asked Questions

For server-rendered pages, detection is highly accurate — CMS + framework + hosting are usually right. For JavaScript-heavy SPAs (Next.js, Nuxt, Remix), the initial HTML has fewer signals so plugin/theme details may be missed. Confidence scores are shown per technology; treat lower scores as hints, not facts.
Some sites are protected by Cloudflare bot mitigation and return a challenge page instead of the real HTML. We follow redirects but can't solve interactive challenges. Try a specific inner page instead of the homepage.
They see one HTTP request from our server's IP with a "ToolsPow-SiteDetector" user agent. They can log that request, but they can't link it to you — the fetch is server-side, not through your browser.
No — we block private IP ranges (RFC 1918), loopback, and link-local addresses. This is an SSRF safeguard. Scan public URLs only.
Browsers block cross-origin fetches (CORS), and they have no DNS-lookup, WHOIS, or IP-geolocation APIs. So this one has to be server-side. To keep our infrastructure safe, we've hardened against SSRF and rate-limit at 20 scans/hour per IP.
Yes — no signup, no API key, no per-scan cost. Rate-limited to protect against abuse; genuine use will never hit the limit.