All right, so Stackhouse is a tool I've been working on to see what's actually going on behind any website. I mean, it's sort of like Wappalyzer, but a bit more modular and built for developers who want to dig deeper. It basically finds the full stack for you — everything from frameworks and analytics to DNS records and security stuff.
I've put together a quick look at how the tool actually works:
I also made a short screencast if you want to see the scan in action: Watch the screencast
I've added a ton of scanners to this thing, so it can pick up all kinds of stuff:
- Frameworks & CMS: Next.js, React, WordPress, all that stuff.
- Analytics & Tracking: Google Analytics, Plausible, Posthog, and others.
- Hosting & CDNs: It catches multiple CDNs, like Cloudflare and Vercel, at the same time.
- Payments: Stripe, PayPal, Paddle, and more.
- Security: It checks your HSTS, CSP, and all those other important headers.
- DNS & SSL: MX, NS, SPF, DKIM, and all the certificate details.
- Domain Info: Registrar, expiration dates, and WHOIS data.
It's pretty easy to get this thing running. I'd suggest using Bun since that's what I'm using for the lockfile.
First, you'll want to grab the dependencies:
bun installNow, if you want to run the web interface, just start the dev server:
bun devThat'll get the Hono server running on http://localhost:6076. I mean, the UI is pretty simple, but it gets the job done.
If you're more of a terminal person, I mean, the CLI is pretty useful too. You can run a scan directly from your terminal:
bun cli seline.comYou can also export the report to a JSON file if you want to use it for something else:
bun cli seline.com --json --out=report.jsonI've set this up with a modular architecture. Every type of scan has its own file in src/scanners/, and the analyzer.ts file just orchestrates everything. It's pretty fast because it runs a lot of these scans in parallel, and I've added a 30-second global timeout so it doesn't just hang forever.
- Playwright: You'll need to run
bun x playwright install chromiumlocally if you want the deeper JS-rendered detection stuff to work. - Firewalls: Some environments might block the DNS-over-HTTPS fallback I'm using. I mean, I'm trying to make it more resilient, but it's something to watch out for.
All right, so that's basically it. Feel free to dig into the code and let me know if you hit any snags.