About What CMS / Tech Detector
What CMS / Tech Detector identifies the technology stack behind any website in seconds — CMS platform, JavaScript framework, CSS library, web server, hosting provider, CDN, analytics services, tag manager, payment gateway, chat widget, DNS provider, email provider, and TLS certificate issuer. Feed it a URL, get a full report.
The detection engine combines the Wappalyzer open-source rule bundle (7,500+ technology signatures, MIT-licensed community fork) with our own hand-curated overlay for post-2022 tech like Astro, Bun, HTMX, Remix, Nuxt 3, Alpine, Tailwind, PostHog, Plausible, Cookiebot, and Turnstile. On top of that, we run native DNS lookups, IP geolocation, TLS certificate inspection, and security-header scoring for a full-stack profile.
Server-side by design. Because the browser's CORS policy blocks cross-origin fetches, the analysis runs on our server. Nothing about your visit is tied to the target site — the target only sees a request from our IP, not yours.
How to use
Paste a URL
Full https://… or bare example.com both work.
Click Analyze
We fetch the homepage, run 7,500+ detection rules, resolve DNS, check TLS, score security headers. Usually 2–5 seconds.
Read the cards
Summary at the top; expandable cards for CMS, frameworks, analytics, hosting, DNS, security, SEO.
Copy or share
Copy the full report as JSON or Markdown. Or share the URL to send someone the same analysis.
Key Features
7,500+ technology signatures
The Wappalyzer OSS community fork ships ~7,500 signatures covering CMSes (WordPress, Drupal, Joomla, Ghost, Shopify, Squarespace), frameworks (React, Vue, Angular, Svelte, Alpine, HTMX), CSS libraries (Bootstrap, Tailwind), analytics (GA, Matomo, Plausible, Fathom, PostHog), payment (Stripe, PayPal, Klarna), chat (Intercom, Crisp, Zendesk), CDN (Cloudflare, Fastly, Bunny), hosting (Vercel, Netlify, WP Engine, Kinsta), and hundreds more.
Post-2022 tech overlay
Wappalyzer's OSS snapshot froze in 2022. We add 50 hand-curated rules for the modern stack: Astro, Remix, SvelteKit, Qwik, Solid, Fresh, Nuxt 3, HTMX current, Tailwind 4, Vite, Alpine, PostHog, Plausible, Fathom, Sentry, Cookiebot, OneTrust, Turnstile, Payload CMS, Directus, Strapi, Sanity, Webflow, Framer, Wix, Shopify Hydrogen, and more.
DNS deep-dive
A, AAAA, MX, NS, TXT, CAA records — with derived intelligence: identified email provider (Google Workspace / Microsoft 365 / Zoho / Fastmail…), DNS provider (Cloudflare / Route 53 / GoDaddy…), and TXT verification tokens (Google Search Console, Facebook, Stripe, Microsoft, Apple Business, Pinterest…).
IP geolocation + hosting ISP
Resolves the target IP, then looks up country, region, ISP, and ASN via ip-api.com. Tells you if it's on AWS, Google Cloud, Cloudflare, DigitalOcean, Hetzner, or a regional hoster.
TLS certificate inspection
Reads the live TLS cert — issuer (Let's Encrypt, DigiCert, Google Trust Services, Sectigo), subject CN, validity dates, subject alternative names.
Security-header scoring
A-through-F grade based on HTTPS, HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy presence. Same pattern as SecurityHeaders.com.
SEO / meta breakdown
Title, meta description, canonical, viewport, robots, language, Open Graph properties, Twitter Cards, JSON-LD types detected, hreflang alternates.
24-hour result cache
Repeated scans of the same URL come back instantly from cache. Force a fresh scan any time with the "Force re-scan" toggle.
Common Use Cases
- "What's this cool site built with?" — the classic curiosity scan
- Competitive research — see the stack your rival is running
- Vendor selection — check that a candidate is on a serious hosting stack
- Due diligence for an acquisition or partnership
- Sales prospecting — "who's still on WordPress and could use us instead"
- SEO audit — canonical, robots, OG, JSON-LD all in one view
- Security audit — quick pass/fail on HTTPS + HSTS + CSP
- DNS/email troubleshooting — see MX, SPF, verification tokens at a glance
- Learning what modern stacks look like — inspect prominent sites in your space
- Migrating a legacy site — identify every third-party service before switching
Security & Privacy
- Server-side but privacy-safe: the target site only sees a request from our IP, not yours. We don't record what you scan.
- SSRF-hardened: we refuse to fetch private IP ranges, loopback, or link-local addresses — no internal-network probing.
- Response cap: 2 MB max response body, 15 s timeout, 5 redirect max. Protects against traps.
- Rate limits: 20 scans per hour per IP. Prevents abuse without hurting genuine use.
- No script execution: we don't run JavaScript from the target site. Detection is by pattern matching on the response, not by executing potentially malicious code.
- Result caching: we cache results per URL for 24 hours to reduce redundant fetches. Force a fresh scan any time.
- Attribution: Wappalyzer rules used under MIT license — credit at the bottom of the tool.