How do I see what a website is built with?

With technology fingerprinting: analysing the HTTP headers, cookies, meta tags and HTML/script URLs the server returns, and matching them against patterns of known technologies. See it automatically at https://subs.gr/tools/techstack.

Is it legal to detect a site's technology stack?

Yes — only the public data the server sends to every visitor (headers, HTML, cookies) is analysed. No unauthorised access takes place.

Why doesn't detection find every technology?

Detection relies on the initial HTML and does not execute JavaScript. Technologies loaded dynamically, or sites that removed their traces (Server header, generator meta) or sit behind a CDN/WAF, may not appear.

Web & Dev Tools 7 min read

How to See What a Website Is Built With

What technology fingerprinting is, how CMS, frameworks, server and CDN are detected from headers/cookies/HTML, and how to read the results correctly.

What Does "What a Website Is Built With" Mean?

Every website runs on a technology stack — a set of technologies working together: a CMS or framework that generates the pages (WordPress, Shopify, Laravel, Next.js), JavaScript libraries on the frontend (React, Vue, jQuery), a web server (Nginx, Apache, LiteSpeed), a backend language (PHP, Node.js, Python), often a CDN (Cloudflare, Fastly), plus analytics, payment systems, captchas and dozens more.

Identifying that stack is called technology fingerprinting. It's extremely useful for competitive research, security assessment, lead generation, or simply learning how a site you liked is built. The Technology Lookup tool does this automatically — here we explain how it works under the hood.

How Technologies Are Detected

There's no "magic" API that tells you what a site is built with. Detection works via fingerprints: every technology leaves characteristic traces in the server's response. There are four main sources:

1. HTTP Response Headers

With every request, the server returns headers that often reveal technologies:

Server: nginx/1.24.0
X-Powered-By: PHP/8.2.10
X-Pingback: https://site.com/xmlrpc.php
CF-RAY: 8a1b2c3d4e5f-FRA

Server → the web server (nginx, Apache, LiteSpeed)
X-Powered-By → language/framework (PHP, ASP.NET, Express)
X-Pingback with xmlrpc.php → almost certainly WordPress
CF-RAY → the site is served through Cloudflare

2. Cookies

Cookies set by the server are among the most reliable signals, because their names are nearly unique per framework:

laravel_session / XSRF-TOKEN → Laravel
PHPSESSID → PHP
csrftoken → Django (Python)
mage-cache-storage → Magento
woocommerce_cart_hash → WooCommerce

3. Meta Tags

Many CMSs leave their signature in the HTML, often with the version:

<meta name="generator" content="WordPress 6.4.2">
<meta name="generator" content="Joomla! - Open Source Content Management">

The generator meta is the fastest way to identify a CMS — as long as the admin hasn't removed it.

4. HTML & Script URLs

Paths in <script src>, <link> and patterns inside the HTML are strong indicators:

/wp-content/themes/...     → WordPress
cdn.shopify.com            → Shopify
/_next/static/...          → Next.js
googletagmanager.com/gtm.js → Google Tag Manager
js.stripe.com              → Stripe

See the full technology stack of any site automatically:

→ Technology Lookup

Implied Technologies

Some technologies imply others. If WooCommerce is detected, we know for certain WordPress runs underneath, therefore PHP, therefore (typically) MySQL — even if none of those appear explicitly:

WooCommerce → WordPress → PHP → MySQL
Next.js → React → Node.js
Nuxt.js → Vue.js

These are flagged as "implied". They're logically safe, but it's good to know they came from inference, not direct detection.

Why the Result Is Sometimes Incomplete

Fingerprinting from static HTML has limits. Knowing them helps you interpret results correctly:

JavaScript-loaded technologies: anything loaded dynamically after the initial render (e.g. via a tag manager) may not appear — detection does not execute JavaScript.
Hidden traces: many admins deliberately remove the Server header, X-Powered-By or generator meta for security.
CDN/WAF in front: a Cloudflare or Sucuri in front can "hide" the real server or return different markup to bots.
Versions: a version only shows when explicitly exposed (generator meta, header, or a filename like jquery-3.7.1.min.js).

How to "Hide" Your Own Site's Stack

If you don't want to reveal your technologies (it reduces the surface for targeted attacks against known CVEs):

Apache: ServerTokens Prod + Header always unset X-Powered-By
Nginx: server_tokens off;
PHP: expose_php = Off in php.ini
WordPress: remove the generator meta with remove_action('wp_head', 'wp_generator');

Note: this is "security through obscurity" — it slows down mass scanners, but it's no substitute for actual updating/patching.

Frequently Asked Questions

Is it legal to check what a site is built with?

Yes. You only analyse data the server returns publicly to every visitor (headers, HTML, cookies). No unauthorised access happens — it's the same information your browser sees.

How is it different from Wappalyzer or BuiltWith?

The fingerprinting logic is the same. Our tool runs 100% server-side against a pattern database of thousands of technologies — with no browser extension and without sending your data to third parties.

Why does it show "PHP" when it's mentioned nowhere?

It's an implied technology. If WordPress or Laravel is detected, it's safe to infer PHP runs underneath. Such entries are flagged as "implied".

Can I trust the result 100%?

Treat it as a strong signal, not absolute proof. Patterns are designed conservatively to avoid false positives, but technologies loaded via JavaScript or with their traces removed may be missing.

Try it now

Technology Lookup What a website is built with (Wappalyzer-style)

Related guides

All guides