ZeroTrace OSINT
Site Analysis
Tech stack, frameworks, CMS, web server, security headers, cookies, and third-party host fingerprinting in one fetch.
Site analysis is the "what is this site running" tool. One URL in, a complete fingerprint out.
It fetches the URL, parses the response headers and HTML, and matches against a large catalog of fingerprint patterns to identify frameworks, content management systems, web servers, analytics tools, JavaScript libraries, third-party services, and security configuration.
What you get
| Section | What it surfaces |
|---|---|
| Tech stack | CMS, framework, language, web server, JS frameworks, JS libraries, analytics, advertising, payment processors, support widgets, with confidence scoring per detection |
| Security headers | Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, with a missing-headers checklist |
| Cookies | Name, domain, secure / httpOnly / sameSite flags per cookie set on the response |
| Third-party hosts | Every external host the page references — analytics, fonts, CDNs, embeds — for a privacy view of the site |
| Mailto / tel links | Contact hints scraped from the HTML |
| Composed results | Auto-pulled favicon hash, robots.txt, sitemap presence, security.txt presence |
Tech stack with confidence
Detection is not all-or-nothing. Each fingerprint match emits a confidence value, surfaced as a coloured chip:
- High — multiple strong signals (header + meta tag + DOM pattern). Almost certainly correct.
- Medium — one strong signal or two weak ones. Likely correct.
- Low — single weak signal. Treat as a hint.
The toolkit ships with a fingerprint catalog covering the major and most of the long-tail web stacks: WordPress, Drupal, Joomla, Magento, Shopify, BigCommerce, Webflow, Framer, Vercel, Netlify, Cloudflare Pages, Next.js, Nuxt, React, Vue, Angular, Svelte, Laravel, Django, Rails, Express, ASP.NET, plus the major analytics, advertising, payment, font, and CDN providers.
Security headers checklist
The toolkit knows which security headers a modern web property should set. Missing-header callouts include:
| Header | What its absence means |
|---|---|
| Strict-Transport-Security | Browser does not get told to enforce HTTPS — downgrade attacks possible |
| Content-Security-Policy | XSS mitigations weakened — site relies on input sanitisation alone |
X-Frame-Options / frame-ancestors | Clickjacking is possible — site can be iframed by hostile origins |
| X-Content-Type-Options | MIME-sniffing protection off — content-type confusion risks |
| Referrer-Policy | Default referrer behaviour — outbound URLs may leak query data |
| Permissions-Policy | Browser features (camera, mic, geo) not restricted |
A composite security grade (A+ / A / B / C / D / F) lets you skim a list of sites and find the worst-configured ones first.
Cookie inspector
Each cookie set on the response is parsed and shown with:
- Name and domain.
- Path.
Secure/HttpOnly/SameSiteflags.- Expiry / max-age.
- Cookie size.
A cookie that lacks Secure and HttpOnly on a high-value site is a finding. A SameSite=None cookie without Secure is a misconfiguration.
Third-party hosts (privacy view)
Every external host referenced from the HTML is listed: analytics scripts, ad networks, fonts, CDNs, embeds, payment widgets, support widgets. For a privacy audit of a site, this list is the single most useful artefact — it tells you who the site shares its visitors with.
Sites with twenty third-party hosts on the homepage are exposing every visitor to twenty other companies' tracking. For privacy-themed reporting, this is often the headline finding.
Auto-composed adjacent results
Site analysis automatically runs a few adjacent fetches in the background:
- Favicon hash — for cross-site favicon matching via Shodan / Censys.
- Robots.txt presence — does the site have one, what does the first line look like.
- security.txt presence — does the site advertise an authorised security contact.
- Sitemap presence — does the site link a sitemap from robots.txt.
Each of these has its own dedicated tool (linked) for full output.
Pivots
| Click on... | Pivot to |
|---|---|
| The hostname | DNS lookup, WHOIS, certificate transparency, subdomain discovery |
| Server header value | (no pivot — informational) |
| Third-party host | DNS lookup, IP geolocation on resolved IP |
| Favicon hash | Open in Shodan / Censys (URL builders) |
| Cookie domain | DNS lookup |
Sources
- The HTML and headers of the URL itself.
- A bundled fingerprint catalog (regularly updated with each application release).
- A bundled security-header checklist.
The tool fetches the URL once. It does not crawl. For multi-page reconnaissance, see the web crawler.