Most web technologies, including server-side software such as CMSs, leave trails of evidence of their presence in websites' HTML code. This code is publicly accessible, which is necessary for browsers to render and display the page. Techtracker is known to be very proficient exposing these technologies through various fingerprinting methods.
Keeping your website secure
It may seem concerning that information about your website's technology stack is exposed. After all, hackers often target platforms with known vulnerabilities all the time. However, simply knowing what software is in use is not enough to hack a website: there has to be a known, unpatched vulnerability to exploit.
It's crucially important to keep your software up-to-date. Well-known CMSs and frameworks are usually actively maintained by a company or community of skilled developers who fix security issues regularly. No software is perfectly secure and a level of maintenance will always be required.
Relying on secrecy as the main method of security is a practice widely rejected by security experts. However, a level of obscurity can help deter malicious hackers.
Hiding server-side technologies
Application security, at least in this context, mainly applies to server-side technologies as this is where database interactions and business processes happen. They're also easier to hide. Obscuring client-side libraries is a futile effort in almost all cases as the source code has to be sent to the browser to interpret and will always be discoverable.
To hide a technology from Techtracker, it helps to first understand how it works and what Techtracker looks for.
We'll go through a few examples below.
Hide PHP from Techtracker
PHP can be identified by looking for the
.php file extension in URLs the default
PHPSESSID cookie. Rewriting URLs and changing the name of the cookie can make PHP harder to detect.
Hide Laravel from Techtracker
The Laravel PHP framework can also be identified by inspecting a websites' cookies. It's possible to change the default cookie name to prevent this.
Hide Apache or Nginx version number from Techtrack
The Apache and Nginx web servers can be identified by looking for the
Server response header when requesting a web page. By default this includes the version number. To avoid this, you can disable server tokens in the configuration file.
The information exposed by Techtracker is already public to anyone and hiding it does not make your website secure. In most cases hiding a technology's characteristics ranges from impractical to impossible but as long as your software is up-to-date, it's not something to worry about.
Install the free browser extension to see technologies used on websites you visit at glance.