GetStack is a website platform detection tool that allows users to analyze websites to determine their underlying technology stack. The application detects WordPress, Wix, Shopify, and Squarespace platforms, and provides detailed insights including version detection, theme identification, plugin analysis (for WordPress), and general technology stack detection. Built as a full-stack web application, it features a modern React frontend with a clean, professional interface and an Express.js backend that handles website analysis requests.
Preferred communication style: Simple, everyday language.
The client-side is built with React and TypeScript, utilizing modern development practices:
- UI Framework: React with TypeScript for type safety
- Styling: Tailwind CSS with shadcn/ui component library for consistent design
- State Management: TanStack React Query for server state management
- Routing: Wouter for lightweight client-side routing
- Forms: React Hook Form with Zod validation for robust form handling
- Build Tool: Vite for fast development and optimized builds
The server uses Node.js with Express in a RESTful API pattern:
- Runtime: Node.js with Express.js framework
- Language: TypeScript with ESM modules
- API Design: RESTful endpoints with centralized route registration
- Validation: Zod schemas for request/response validation
- Storage: Abstracted storage interface supporting both in-memory and database persistence
The application uses Replit Auth for secure user authentication:
- Auth Provider: Replit Auth integration (secure OAuth via Replit)
- Session Storage: PostgreSQL-backed sessions via
connect-pg-simple - User Management: Users stored in
userstable with Replit profile data +stripe_customer_id - Tier System: Free (public tool only) and Premium ($9/month via Stripe, unlocks full dashboard)
- Protected Routes: Dashboard requires Premium subscription; public /detect tool is free to all
- Rate Limiting: Auth endpoints protected by
express-rate-limit
Stripe integration for subscription billing:
- Integration: Replit-native Stripe connector (no manual API keys needed)
- Package:
stripe+stripe-replit-syncfor webhook sync to PostgreSQL - Product: "GetStack Premium" at $9/month (seeded via
npx tsx scripts/seed-products.ts) - Webhook:
/api/stripe/webhookregistered BEFORE express.json() (receives raw Buffer) - Stripe Schema:
stripe.*tables auto-managed by stripe-replit-sync (products, prices, subscriptions, customers) - Tier Check:
GET /api/stripe/products-with-prices→ pricing page;GET /api/user/tier→ subscription status - Checkout:
POST /api/stripe/checkoutcreates Stripe checkout session, saves stripeCustomerId to users table - Portal:
POST /api/stripe/portalopens Stripe billing portal for subscription management - Super Admins: Always get premium access regardless of subscription status
server/stripeClient.ts— Replit connector-based Stripe client (getUncachableStripeClient, getStripeSync)server/webhookHandlers.ts— Processes raw Stripe webhooks via stripe-replit-syncserver/stripeRoutes.ts— All Stripe API endpoints registered on the Express appscripts/seed-products.ts— Run once to create the Premium product in Stripe
server/replit_integrations/auth/- Auth setup and middlewareclient/src/hooks/use-auth.ts- Client-side auth hookclient/src/pages/login.tsx- Login page with Replit Auth buttonclient/src/pages/admin.tsx- Super Admin dashboard (protected by DB role)
- Admin page available at
/admin - Protected by
rolecolumn onuserstable (must besuper_admin) - Server returns 404 (not 403) for non-admins so the page appears non-existent
- Admin link visible only to super_admin users in sidebar, mobile sidebar, and dashboard header dropdowns
- Shows: email, role, tier, creation date, last login (updatedAt)
- Stats: total users, signups in last 7 days, free users, premium users
- Super admin emails:
richard@humanelement.agency - The
upsertUserin auth storage excludesrolefrom updates to prevent login from resetting it client/src/pages/dashboard.tsx- Protected dashboard (redirects to login if unauthenticated)
- Free Users: Public /detect tool only — no dashboard access
- Premium Users: Full dashboard, save up to 100 sites, detection history
- Tier Check Logic: Queries
stripe.subscriptionsfor active/trialing subscription linked to user'sstripeCustomerId; falls back to free if none found - Pricing Page:
/pricing— dynamically loads plan fromGET /api/stripe/products-with-prices, falls back to "$9" display
The application uses a flexible storage approach:
- ORM: Drizzle ORM with PostgreSQL dialect for database operations
- Database: Configured for PostgreSQL with Neon Database serverless connection
- Schema Management: Drizzle Kit for database migrations and schema management
- Fallback Storage: In-memory storage implementation for development/testing
users- User profiles from Replit Authsessions- Express session storageuser_tiers- Subscription tier tracking (free/premium)pinned_sites- User's saved/pinned detection resultsdetection_requests- Detection history and logs
The core functionality analyzes websites to detect WordPress, Wix, and Shopify through multiple detection methods:
- HTTP Headers: Examines
X-Generator,X-Powered-Byheaders for WordPress signatures - Meta Tags: Looks for WordPress generator meta tags with version information
- Content Patterns: Identifies
/wp-content/,/wp-includes/, and WordPress REST API endpoints - Score-based System: Requires minimum score of 4 and at least 1 strong indicator for positive detection
- HTTP Headers: Checks for
X-Wix-Request-Id,X-Wix-Instanceheaders - CDN Patterns: Detects
static.wixstatic.comandparastorage.comresources - JavaScript: Identifies Wix-specific scripts like
wix-thunderboltandclientSideRender.min.js - Cookies: Looks for
_wix_browser_sessand other Wix session identifiers - Site Details Extraction: When Wix is detected, extracts site title, description, OG image, template name, rendering engine (Thunderbolt/Santa), and language
- WixInfo Schema: Stored as
wix_infojsonb column indetection_requeststable, typed viaWixInfoinshared/schema.ts - Builder Type Detection: Identifies Wix Editor vs Wix Studio vs Wix Velo (Custom Code) based on script signatures
- Wix App Detection: Detects enabled Wix apps (Stores, Blog, Bookings, Events, Restaurants, Forum, Music, Pro Gallery, Pricing Plans, Members, Chat, Forms) from HTML content patterns
- Site Categorization: Infers site category (E-commerce, Blog, Services/Bookings, Events, Restaurant, Community, Portfolio, Music, General) from detected apps
- Template Identification: Searches warmup data, data-template attributes, templateId JSON, bootstrapData/pageData/siteData blobs; falls back to "Custom Wix Build" or "Custom Wix Build (Category)" when no template found
- Purple Card Display: Wix results show a themed purple "Site Details" card with builder type badge, site category badge, detected Wix apps as tags, and template info
- HTTP Headers: Checks for
X-ShopId,X-Shopify-Stage,X-Shopify-Shop-Api-Call-Limit - CDN Patterns: Detects
cdn.shopify.comresources - Domain References: Identifies
myshopify.comreferences in content - JavaScript API: Looks for
Shopify.theme,Shopify.routes, andShopify.Checkoutobjects - Analytics: Detects Shopify-specific cookies (
_shopify_s,_shopify_y, etc.)
- HTTP Headers: Checks for
X-Sqsp-VersionandServer: Squarespace - CDN Patterns: Detects
static1.squarespace.comandimages.squarespace-cdn.comresources - Meta Tags: Looks for
<meta name="generator" content="Squarespace"> - JavaScript Globals: Identifies
SQUARESPACE_CONTEXTandwindow.SQUARESPACE_6 - CSS Classes: Detects
sqs-prefixed CSS classes,sqs-block,sqs-layout - Score-based System: Requires minimum score of 4 and at least 1 indicator
- SquarespaceInfo Schema: Stored as
squarespace_infojsonb column indetection_requeststable, typed viaSquarespaceInfoinshared/schema.ts - Info Extraction: When detected, extracts site title, description, template ID, version (7.0/7.1), language, site ID, OG image
- Feature Detection: Detects Squarespace capabilities (Store, Blog, Scheduling, Member Areas, Podcast, Newsletter, Courses, Donations) from HTML content patterns
- Site Categorization: Infers category (E-commerce, Blog, Services, Media, Education, General) from detected features
- Dark Card Display: Squarespace results show a black-themed SVG placeholder, purple "Site Details" card with version/template info, and blue "Detected Features" card
General Features:
- Technology Detection: Identifies additional technologies in use (React, Vue, Next.js, etc.)
- Timeout Handling: 10-second request timeout for reliable performance
- Error Handling: Comprehensive error reporting for failed analyses
- SSRF Protection: Blocks private IP ranges to prevent server-side request forgery
The application uses a comprehensive multi-method detection system to identify WordPress plugins:
Detection Methods:
- Path Detection: Scans HTML for
/wp-content/plugins/FOLDER-NAME/paths with version extraction from?ver=query strings - Directory Listing: Attempts to access
/wp-content/plugins/(rarely available due to security) - CSS Class/ID Patterns: Detects plugins via known CSS classes (elementor-*, woocommerce, etc.) using signature database
- Script/Style Handles: Identifies plugins from script/link asset URLs (elementor-frontend.min.js, woocommerce.min.js)
- Meta/JSON-LD Parsing: Extracts plugin references from structured data and meta tags (Yoast, RankMath)
- REST Endpoint Detection: Checks for known plugin REST namespaces (wc/, yoast/, jetpack/, contact-form-7/)
- WPScan Validation: If
WPSCAN_API_TOKENis configured, validates detected plugins against WPScan vulnerability database - Core Filtering: Excludes WordPress core components (wp-block-editor, wp-site-health, etc.)
Signature Database: server/plugin-signatures.json contains fingerprints for 15+ popular plugins with CSS classes, script patterns, REST endpoints, and meta patterns for enhanced detection accuracy.
WPScan API Integration:
- Optional enhancement requiring free API token from https://wpscan.com/register
- Free tier: 25 API requests per day
- Used for validation only - confirms detected plugins exist in WPScan database
- All plugins are preserved regardless of WPScan response (handles 404, auth errors, rate limits gracefully)
- Does not change WordPress/Wix detection logic - only enhances plugin confidence
Known Limitations:
- Only detects plugins that load frontend assets (JS, CSS, images)
- Backend-only plugins are invisible (security, admin tools, email, backup plugins)
- Asset optimization plugins (like Autoptimize) can hide plugin paths by bundling files
- Average detection rate: ~40-50% of installed plugins on typical WordPress sites
- WPScan API provides vulnerability lookups, not plugin enumeration
- Complete plugin detection requires WordPress admin access or scanner tools
The application supports both development and production environments:
- Development: Vite dev server with hot module replacement
- Production: Static asset serving with Express
- Build Process: Separate client and server build pipelines
- Environment: Environment-based configuration with proper error handling
- @neondatabase/serverless: Serverless PostgreSQL database connection
- drizzle-orm & drizzle-kit: Modern TypeScript ORM and migration toolkit
- express: Web application framework for Node.js
- @tanstack/react-query: Powerful data synchronization for React
- @radix-ui/*: Comprehensive collection of unstyled, accessible UI primitives
- tailwindcss: Utility-first CSS framework
- class-variance-authority: Utility for creating variant-based component APIs
- lucide-react: Icon library for React components
- react-hook-form: Performant forms with easy validation
- @hookform/resolvers: Validation resolver for various schema libraries
- zod: TypeScript-first schema validation
- drizzle-zod: Integration between Drizzle ORM and Zod validation
- vite: Next generation frontend tooling
- tsx: TypeScript execution environment for Node.js
- esbuild: Fast JavaScript bundler for production builds
- @replit/*: Replit-specific development enhancements and error reporting
- date-fns: Modern JavaScript date utility library
- wouter: Minimalist routing for React
- connect-pg-simple: PostgreSQL session store for Express sessions