Forum Discussion
Stop Wappalyzer from detecting my back end server technologies
- Sep 06, 2022
The short answer is - not really..
Wappalyzer (at least as a browser plug-in) doesn't make any requests of it's own to your server, rather it looks at the responses your website sends to try and determine what technolgies you use, and it does a huge number of regex based checks against things like: filenames, HTTP headers, DOM content and likely more.
When run as a stand-alone client (which browses the website headlessly) I believe it sends a User-Agent string of Wappalyzer, which you could of course block, but as a browser extension it is just querying what the browser is already seeing.
The analysis engine is actually opensource so you could look for what Wappalyzer is detecting and then try to adjust your website so that it no longer triggers the detections: https://github.com/wappalyzer/wappalyzer/tree/master/src/technologies
There's no simple fix with a device in front of your website, in other words; you're going to have to obfuscate and change every imported JavaScript library, back-end technology etc that Wappalyzer can detect so that it no longer matches whatever signature the engine is looking for.
IMHO there is very little value in spending a huge amount of time 'stealthing' the technologies you use beyond ensuring an attacker can't trivially detect major versions of things like your webserver, and you're much better off spending time and resources ensuring that libraries are kept up-to-date and that any known vulnerabilities are patched in a timely manner.
The short answer is - not really..
Wappalyzer (at least as a browser plug-in) doesn't make any requests of it's own to your server, rather it looks at the responses your website sends to try and determine what technolgies you use, and it does a huge number of regex based checks against things like: filenames, HTTP headers, DOM content and likely more.
When run as a stand-alone client (which browses the website headlessly) I believe it sends a User-Agent string of Wappalyzer, which you could of course block, but as a browser extension it is just querying what the browser is already seeing.
The analysis engine is actually opensource so you could look for what Wappalyzer is detecting and then try to adjust your website so that it no longer triggers the detections: https://github.com/wappalyzer/wappalyzer/tree/master/src/technologies
There's no simple fix with a device in front of your website, in other words; you're going to have to obfuscate and change every imported JavaScript library, back-end technology etc that Wappalyzer can detect so that it no longer matches whatever signature the engine is looking for.
IMHO there is very little value in spending a huge amount of time 'stealthing' the technologies you use beyond ensuring an attacker can't trivially detect major versions of things like your webserver, and you're much better off spending time and resources ensuring that libraries are kept up-to-date and that any known vulnerabilities are patched in a timely manner.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com