How to Detect jQuery on Any Website (API Guide 2026)

jQuery turned 20 this year. It is still loaded on a majority of the public web — WordPress themes, legacy admin panels, e-commerce checkouts, government portals, and an enormous tail of small-business sites that have not been touched since 2018. Knowing whether a page uses jQuery (and which version) matters for security audits, framework-migration projects, sales prospecting, and competitive research.

This post covers two ways to detect jQuery: the manual browser-console method for a single site, and the DetectZeStack API for scanning thousands of domains. Every code example is copy-pasteable and uses fields that actually exist in the API response.

Why Detect jQuery in 2026

"Just check the source" sounds simple until you need an answer in code. The use cases that drive jQuery detection are almost never about one URL:

• Security teams want to find every public site running jQuery older than 3.5.0, where the HTML.prototype.append XSS pattern (CVE-2020-11022, CVE-2020-11023) still applies if untrusted HTML reaches .html().
• Migration leads need a list of pages still on jQuery before retiring it in favour of vanilla JS or a modern framework. Without a real inventory, "we removed jQuery" tends to mean "we removed it from the homepage."
• Sales teams selling modernization, headless commerce, or React/Vue rebuilds want to prospect companies whose front end signals "ready to upgrade."
• Researchers measuring framework adoption need reproducible, automated data, not a screenshot of DevTools.

All of those want the same answer in two forms: is jQuery present? and which version?

How jQuery Leaves Fingerprints on a Page

jQuery is unusually easy to detect because it advertises itself in three independent ways. Any one of them is enough; together they make false positives rare.

The window.jQuery and $ Globals

When jQuery loads through a normal <script> tag it attaches itself to the window object as both window.jQuery and (by default) window.$. From a browser console:

typeof window.jQuery         // "function" if loaded, "undefined" otherwise
window.jQuery.fn.jquery       // "3.7.1" (or whatever version is loaded)
typeof window.$               // usually "function", but $ may belong to another lib

The dollar-sign alias is a soft signal. Prototype, MooTools, Zepto, and a few in-house micro-libraries also publish $. Always probe window.jQuery first; treat a positive $ as a hint, not proof.

Script Tag Patterns and CDN Hosts

Even without running JavaScript, the HTML usually reveals jQuery. The library is most often loaded from one of three places:

• The official CDN at code.jquery.com/jquery-<version>.min.js
• Google Hosted Libraries: ajax.googleapis.com/ajax/libs/jquery/<version>/jquery.min.js
• A path under the site itself: /wp-includes/js/jquery/jquery.min.js (the canonical WordPress location) or /static/js/jquery-x.y.z.js

A quick grep against the HTML answers the question without executing anything:

curl -s https://example.com | grep -oE 'jquery[-.][0-9]+\.[0-9]+\.[0-9]+' | head -3

The same regex works in any language. It misses bundled builds (covered below), but it catches the vast majority of jQuery installations on the public web.

Version Strings in Source Maps and Comments

Even when the script tag does not include the version in its filename, the file itself usually does. Open the JS resource in DevTools and the first 10 lines contain a banner comment:

/*! jQuery v3.7.1 | (c) OpenJS Foundation and other contributors | jquery.org/license */

When a source map is published alongside the file, the //# sourceMappingURL=jquery-3.7.1.min.map directive at the bottom leaks the version too. The DetectZeStack detector reads both, which is why the version field is populated for most jQuery hits even when the URL is generic.

Manual Detection in the Browser Console

For a one-off check, DevTools is fastest. The snippet below works on every browser that ships a console (Chrome, Firefox, Safari, Edge):

(function () {
  var present = typeof window.jQuery === 'function';
  var version = present ? window.jQuery.fn.jquery : null;
  var dollarAliased = typeof window.$ === 'function' && window.$ === window.jQuery;
  console.log({ present: present, version: version, dollar_aliased: dollarAliased });
})();

A site that loads jQuery 3.7.1 with the default $ alias prints:

{ present: true, version: "3.7.1", dollar_aliased: true }

If present is true but dollar_aliased is false, somebody on the team called jQuery.noConflict() — common on pages that also load Prototype, an older Drupal core, or a competing library. The detector below picks that up too, by checking the script tags rather than the global.

Detect jQuery at Scale With the DetectZeStack API

The console method does not scale to 200 domains, let alone 200,000. For programmatic detection, the DetectZeStack /analyze endpoint returns every detected technology on a page as structured JSON, including jQuery and its parsed version when present.

Try It Without an API Key

The public /demo endpoint runs the same detector pipeline against any URL with no authentication. It is rate-limited but perfect for confirming the response shape before you wire up a real key:

curl -s "https://detectzestack.com/demo?url=https://jquery.com" | python3 -m json.tool

The response is a single JSON object. Trimmed to the relevant fields, a typical jQuery hit looks like:

{
  "url": "https://jquery.com",
  "domain": "jquery.com",
  "technologies": [
    {
      "name": "jQuery",
      "categories": ["JavaScript libraries"],
      "confidence": 100,
      "description": "jQuery is a JavaScript library for DOM manipulation, event handling, and AJAX.",
      "website": "https://jquery.com",
      "icon": "jQuery.svg",
      "source": "http",
      "version": "3.7.1",
      "cpe": ""
    }
  ],
  "categories": { "JavaScript libraries": ["jQuery"] },
  "meta": { "status_code": 200, "tech_count": 6, "scan_depth": "full" },
  "cached": false,
  "response_ms": 1421
}

Curl Example: /analyze With a RapidAPI Key

For production usage, sign up on RapidAPI and call /analyze with your key. The endpoint returns the same shape as /demo but without the demo rate limit, and the response is keyed against your monthly quota:

curl -s "https://detectzestack.p.rapidapi.com/analyze?url=https://wordpress.org" \
  -H "x-rapidapi-key: $RAPIDAPI_KEY" \
  -H "x-rapidapi-host: detectzestack.p.rapidapi.com" \
  | jq '.technologies[] | select(.name == "jQuery")'

If jQuery is detected, that pipe prints exactly the matching object:

{
  "name": "jQuery",
  "categories": ["JavaScript libraries"],
  "confidence": 100,
  "description": "jQuery is a JavaScript library for DOM manipulation, event handling, and AJAX.",
  "website": "https://jquery.com",
  "icon": "jQuery.svg",
  "source": "http",
  "version": "3.7.1",
  "cpe": ""
}

If jQuery is not present, jq outputs nothing and the script exits cleanly — easy to wire into a shell pipeline that filters a list of domains.

Parsing the Version Field

The version field is a plain semver string when the detector found one ("3.7.1", "1.12.4") and empty when it did not. It is empty in two situations: the page bundles jQuery into another file so neither the URL nor a banner comment is visible, or jQuery is loaded but at a path the detector did not have a fingerprint for. In both cases the name still reports jQuery.

For a security audit, a one-liner that flags any site running pre-3.5.0 jQuery looks like:

jq -r '
  .technologies[]
  | select(.name == "jQuery")
  | select(.version != "")
  | select(.version | split(".") | map(tonumber) | (.[0] < 3) or (.[0] == 3 and .[1] < 5))
  | "\(input_filename): jQuery \(.version)"
' analyses/*.json

That tells you which of the saved /analyze responses are on a jQuery old enough for the HTML.prototype.append XSS class. The same shape works for any other version cutoff you care about.

Batch Detection Across Thousands of Domains

The whole point of an HTTP API is that "scan one site" and "scan ten thousand" are the same code with a different loop. A minimal worker that reads a domain list, calls /analyze, and writes one JSON line per domain:

#!/usr/bin/env bash
# scan-jquery.sh — usage: scan-jquery.sh domains.txt > results.jsonl
set -euo pipefail

KEY="${RAPIDAPI_KEY:?set RAPIDAPI_KEY}"
HOST="detectzestack.p.rapidapi.com"

while IFS= read -r domain; do
  [ -z "$domain" ] && continue
  curl -s "https://${HOST}/analyze?url=https://${domain}" \
    -H "x-rapidapi-key: ${KEY}" \
    -H "x-rapidapi-host: ${HOST}" \
  | jq -c --arg d "$domain" '{
      domain: $d,
      jquery: (.technologies[]? | select(.name == "jQuery")) // null
    }'
done < "$1"

Each output line is either {"domain":"...","jquery":{...}} when jQuery is present or {"domain":"...","jquery":null} when it is not. Pipe the result into a database, a Google Sheet, or another jq filter to produce the report you actually need.

For higher-throughput patterns (concurrency, retries, batch endpoints), see Batch Scan 1,000 Websites for Tech Stack.

Common Pitfalls (jQuery Migrate, Bundled Builds, Async Loaders)

Three situations regularly trip up jQuery detection. Recognising them stops you from miscounting your inventory.

jQuery Migrate

WordPress and many legacy CMS themes load jquery-migrate.min.js alongside jQuery so that 1.x-era code keeps working under modern 3.x. The detector reports jQuery Migrate as a separate entry in the technologies array (category JavaScript libraries). If you see Migrate, you know the site is carrying jQuery and a compatibility shim — usually a stronger sales signal than jQuery alone.

Bundled Builds

Some sites concatenate jQuery into a single app.bundle.js with webpack or Rollup. The script tag no longer mentions jQuery and there is no separate file with a version comment. The HTTP-layer detector cannot see the version in that case, so version comes back empty — but name still reports jQuery if a hashed signature or a runtime fingerprint matches.

Async and Deferred Loaders

Pages that bootstrap jQuery from an async <script> tag have a brief window between page load and script execution during which window.jQuery is undefined. Manual console checks done too early miss it. The API-side detector waits for the HTML to settle and reads both the parsed DOM and the script src list, so async loaders are not an issue server-side — only in the browser console workflow.

Related JavaScript Detection

jQuery rarely lives alone. The same /analyze call that surfaces it also names every other framework, library, CDN, analytics tag, and CMS on the page. Useful follow-ups when jQuery is present:

• If you see jQuery, check the technologies array for WordPress — the two travel together. See Check if a Website Uses WordPress.
• If you see jQuery alongside React or Vue, the site is mid-migration. See How to Detect React and How to Detect Vue.
• For a broader sweep of JavaScript frameworks in a single call, see Detect the JavaScript Framework on Any Website.

Get Your API Key and Start Detecting

The flow is short:

1. Smoke test the response shape with curl https://detectzestack.com/demo?url=https://example.com — no key required.
2. Sign up at rapidapi.com/mlugoapx/api/detectzestack and copy your x-rapidapi-key. The free tier is 100 requests per month with no credit card.
3. Run the /analyze example above against a domain you control.
4. Read the technologies[].version on the jQuery entry — that's your answer.

From there, the same call gives you every other piece of the stack. One quota, one response shape, every technology in one shot.

Conclusion

Detecting jQuery on a single page takes one line in the DevTools console. Detecting it across a portfolio takes one HTTP call per domain. The version field on the technologies entry is the part that turns a yes/no answer into a security or migration decision — pay attention to whether it's populated, and treat an empty string as "present, version not detectable from this signal," not as "absent."