What is the SiteReveal Score™?

The SiteReveal Score™ is a 0–100 composite score that measures a website across six weighted dimensions: Security, Performance, SEO, Technology Modernity, Accessibility, and Data & Analytics. It is generated by SiteReveal AI's headless browser analysis engine.

How does the website analyzer work?

SiteReveal AI's headless browser crawler loads the target URL in an isolated Chromium context, intercepts all network requests, and inspects the fully-rendered DOM. The detection engine then matches signals against our technology signatures database to identify CMS platforms, JavaScript frameworks, analytics tools, security headers, and more.

Is the first scan free?

Yes. Your first website scan is completely free. No account is required. Results are delivered in under 60 seconds.

How Website Technology Detection Works: Behind the Scanner

The Problem: Websites Don't Announce Themselves

When you visit a website, the server does not send a header saying "This site is built with Next.js 14, hosted on Vercel, and uses Stripe for payments." That information is deliberately obscured — partly for security, partly because it is simply not part of the HTTP specification.

Yet technology detection tools can identify dozens of technologies on a page with high confidence. How?

The answer is signal triangulation — combining multiple weak signals into a high-confidence detection. SiteReveal's scanner uses a headless Chromium browser to load the target URL and then inspects six categories of signals simultaneously.

The Six Detection Signal Categories

1. HTTP Response Headers

The server's response headers are the first place to look. Certain headers are technology-specific:

X-Powered-By: Express — reveals the Node.js framework
Server: nginx/1.24.0 — reveals the web server and version
X-Shopify-Stage: production — reveals the e-commerce platform
CF-Ray: abc123 — reveals Cloudflare CDN presence

Headers are easy to spoof or suppress, so they are treated as supporting evidence rather than definitive proof.

2. Script URLs and Filenames

The URLs of JavaScript and CSS files loaded by the page are highly revealing:

/_next/static/chunks/ — Next.js
/wp-content/themes/ — WordPress
/assets/application-abc123.js — Rails asset pipeline
https://cdn.shopify.com/s/files/ — Shopify CDN_

These URL patterns are difficult to change without breaking the application, making them reliable signals.

3. Global JavaScript Variables

Modern JavaScript frameworks and analytics tools write identifiable variables to the browser's window object. SiteReveal's scanner evaluates these in the page context:

window.next — Next.js
window.Shopify — Shopify
window.ga or window.gtag — Google Analytics
window.Stripe — Stripe.js
window.__NUXT__ — Nuxt.js

These variables are almost impossible to suppress without breaking the application's functionality, making them among the most reliable signals.

4. HTML Meta Tags and Comments

The HTML source contains technology fingerprints in meta tags and comments:

html

<!-- WordPress -->
<meta name="generator" content="WordPress 6.4.2">

<!-- Drupal -->
<meta name="Generator" content="Drupal 10">

<!-- Gatsby -->
<!-- This site is built with Gatsby -->

<!-- WordPress -->
<meta name="generator" content="WordPress 6.4.2">

<!-- Drupal -->
<meta name="Generator" content="Drupal 10">

<!-- Gatsby -->
<!-- This site is built with Gatsby -->

The generator meta tag is particularly useful for CMS detection, though security-conscious sites often remove it.

5. Cookie Names and Patterns

Session cookies often follow technology-specific naming conventions:

PHPSESSID — PHP session
JSESSIONID — Java/Tomcat session
_shopify_s — Shopify session
wp-settings-* — WordPress user settings
_ga — Google Analytics*

Cookie names are set by the application and are difficult to change without breaking session management.

6. DOM Structure and CSS Classes

The rendered HTML structure reveals framework-specific patterns:

<div id="__next"> — Next.js root
<div id="app"> — Vue.js or React app root
class="wp-block-*" — WordPress Gutenberg blocks
data-reactroot — React (older versions)__*

Confidence Scoring

Each detected technology receives a confidence score from 0 to 1, based on how many independent signals corroborate the detection:

Signals Present	Confidence
1 signal (e.g., header only)	0.3–0.5
2 signals (e.g., header + script URL)	0.6–0.75
3+ signals (e.g., header + script + window variable)	0.85–1.0

SiteReveal only reports technologies with a confidence score above 0.4. Technologies detected with a single weak signal are flagged as "possible" rather than "confirmed".

Why Technology Detection Matters for Your WIS Score

The Tech Modernity dimension of the WIS (weighted at 20%) uses technology detection to assess:

Framework versions — is the detected version current, or is it end-of-life?
Deprecated APIs — are deprecated browser APIs or server-side patterns in use?
End-of-life libraries — is jQuery 1.x still in use? PHP 7.x?
Modern tooling — is the site using modern build tools (Vite, esbuild, Turbopack) or legacy ones (Grunt, Bower)?

A site running WordPress 4.x on PHP 7.4 will score significantly lower on Tech Modernity than a site running Next.js 14 on Node.js 20 — even if both sites look identical to visitors.

The Privacy Implication

Technology detection is entirely passive — the scanner makes a standard HTTP request, exactly as a browser would. No credentials are required, no authentication is bypassed, and no data is written to the target server. Everything detected is information that is publicly available to any visitor.

This is why technology detection is a legitimate part of security auditing: if a scanner can detect that your site is running an outdated version of a framework with known vulnerabilities, so can an attacker. Knowing what you are exposing is the first step to securing it.

Run a free technology scan on your site to see exactly what SiteReveal detects — and what that reveals about your security posture.