How to Detect if a Website Uses Laravel (2026 Guide)

Laravel is the most widely used PHP web framework, and it powers a huge slice of the modern PHP web: SaaS dashboards, admin panels, marketplaces, internal tools, and a long tail of agency-built business sites. Unlike a front-end library, Laravel runs on the server, so you cannot spot it by reading rendered HTML alone. The good news is that a default Laravel app leaves a clear, reliable fingerprint in its HTTP response — and once you know where to look, detection takes one request.

This guide covers two approaches: the manual method for checking a single site with curl, and the DetectZeStack API for confirming Laravel programmatically or scanning thousands of domains at once. Every code example is copy-pasteable and uses fields that actually exist in the API response.

What Is Laravel and Why Detect It

Laravel is a free, open-source PHP framework for building web applications, with conventions for routing, an ORM (Eloquent), a templating engine (Blade), queues, and authentication. Because it standardizes so much of an app's plumbing, "is this site Laravel?" is a useful question for several audiences:

• Agencies and consultants scoping a rebuild or takeover need to know the framework before they can estimate effort. A Laravel codebase implies PHP, Composer, and a specific set of conventions the team has to know.
• Sales teams selling PHP hosting, Laravel-specific tooling (Forge, Vapor, Nova alternatives), monitoring, or developer services want to prospect companies that actually run Laravel rather than guess.
• Security and asset-inventory teams mapping an organization's external surface want to flag PHP frameworks, because framework and version inform which CVEs are relevant.
• Researchers and market analysts measuring framework adoption need reproducible, automated data across a large sample, not a one-off manual check.

All of them want the same answer in code: is this site built on Laravel, yes or no?

Signals That Reveal a Laravel Website

Laravel does not advertise itself with a footer badge, but a default installation emits several signals. The cookie signal is by far the strongest; the rest are supporting evidence that helps when an app has been hardened.

Cookies and Headers (laravel_session, XSRF-TOKEN)

This is the signal that matters. By default, every Laravel response that hits the web middleware group sets two cookies:

• laravel_session — the encrypted session identifier. The name of this cookie is the framework fingerprint. This is the single most reliable tell that a site is Laravel.
• XSRF-TOKEN — the CSRF token Laravel exposes so that JavaScript clients (Axios, Inertia, Livewire) can echo it back in the X-XSRF-TOKEN header. Useful as a secondary signal, but the name is also used by a few other stacks, so weight it below laravel_session.

You can see both with a single curl -I, which fetches only the response headers:

$ curl -sI https://example.com | grep -i set-cookie
set-cookie: XSRF-TOKEN=eyJpdiI6Ii4uLiJ9...; expires=...; path=/; samesite=lax
set-cookie: laravel_session=eyJpdiI6Ii4uLiJ9...; expires=...; path=/; httponly; samesite=lax

Seeing laravel_session in a Set-Cookie header is, for practical purposes, proof the site is Laravel. The value is a long base64-looking string (Laravel's encrypted payload), the cookie is usually HttpOnly, and it almost always appears next to XSRF-TOKEN.

One more header worth checking is X-Powered-By. Laravel itself does not set it, but the underlying PHP runtime often does, which corroborates the PHP layer:

$ curl -sI https://example.com | grep -iE "x-powered-by|server"
x-powered-by: PHP/8.3.7
server: nginx

HTML, Routing, and Error-Page Fingerprints

When you cannot rely on cookies (more on renamed cookies below), the response body still carries softer clues:

• CSRF meta tag. Many Laravel apps include <meta name="csrf-token" content="..."> in the <head> so front-end code can read the token. It is a convention, not a guarantee, but it is common.
• Livewire and Inertia markers. Apps built with Livewire emit wire: attributes and a /livewire/livewire.js asset; Inertia apps render a root <div id="app" data-page="...">. Both are strongly associated with Laravel front ends.
• The Whoops error page. In debug mode, an unhandled exception renders Laravel's "Whoops" error screen, with a distinctive dark layout and a stack trace. If you ever see one in the wild, it is an unambiguous Laravel tell (and a misconfiguration on the site's part).
• Routing and asset paths. Default paths like /storage/ symlinked assets, a Vite or Laravel Mix manifest, and the absence of .php in clean URLs (handled by Laravel's router) are all weak corroborating signals.

None of these is as reliable as the laravel_session cookie on its own, but together they raise confidence when the primary signal is missing.

DNS and Server-Side Clues

DNS will not tell you Laravel directly — it is application code, not infrastructure — but the surrounding stack often correlates. A Laravel site is frequently deployed on:

• A VPS or managed PHP host behind nginx or Apache (visible in the Server header).
• AWS via Laravel Vapor (serverless PHP on Lambda), which can show CloudFront and API Gateway signals in DNS and headers.
• A platform like Laravel Forge-provisioned servers, which look like a plain nginx + PHP-FPM box.

Treat DNS as context, not proof. It helps you understand where a Laravel app runs once you have already confirmed the framework from the cookie.

Manual Detection vs. an API

The curl -sI cookie check is perfect for a single site. It is free, instant, and needs nothing but a terminal. Where it falls down is volume and consistency:

• Scale. Checking one site by hand is fine; checking 5,000 prospect domains means writing a script that fetches, follows redirects, parses Set-Cookie across multiple headers, and handles timeouts and TLS errors.
• Edge cases. Cookies can be set on a later request, behind a redirect, or only after hitting a route that touches the session. A robust parser has to account for all of that.
• One answer, whole stack. Usually "is it Laravel?" is one question inside a bigger one — what database, what CDN, what analytics, what JS framework. An API returns the whole picture in a single call instead of a pile of bespoke greps.

That is the gap the DetectZeStack API fills: it runs the same cookie-and-header detection (plus DNS, TLS, and HTML fingerprinting) and hands back structured JSON.

Detect Laravel with the DetectZeStack API (curl Example)

Before wiring up a real key, you can confirm the response shape against the public /demo endpoint, which runs the same detector pipeline with no authentication. It is rate-limited but perfect for a smoke test:

curl -s "https://detectzestack.com/demo?url=https://example.com" | python3 -m json.tool

The response is a single JSON object. Trimmed to the relevant fields, a Laravel hit looks like this — note that because Laravel implies PHP, you typically get a PHP entry in the same response:

{
  "url": "https://example.com",
  "domain": "example.com",
  "technologies": [
    {
      "name": "Laravel",
      "categories": ["Web frameworks"],
      "confidence": 100,
      "description": "Laravel is a free, open-source PHP web framework.",
      "website": "https://laravel.com",
      "icon": "Laravel.svg",
      "source": "http",
      "version": "",
      "cpe": "cpe:2.3:a:laravel:laravel:*:*:*:*:*:*:*:*"
    },
    {
      "name": "PHP",
      "categories": ["Programming languages"],
      "confidence": 100,
      "description": "PHP is a general-purpose scripting language.",
      "website": "https://www.php.net",
      "icon": "PHP.svg",
      "source": "http",
      "version": "8.3.7",
      "cpe": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*"
    }
  ],
  "categories": { "Web frameworks": ["Laravel"], "Programming languages": ["PHP"] },
  "meta": { "status_code": 200, "tech_count": 11, "scan_depth": "full" },
  "cached": false,
  "response_ms": 1523
}

For production usage, sign up on RapidAPI and call /analyze with your key. The endpoint returns the same shape as /demo but without the demo rate limit, and each call is counted against your monthly quota:

curl -s "https://detectzestack.p.rapidapi.com/analyze?url=https://example.com" \
  -H "x-rapidapi-key: $RAPIDAPI_KEY" \
  -H "x-rapidapi-host: detectzestack.p.rapidapi.com" \
  | jq '.technologies[] | select(.name == "Laravel")'

If Laravel is detected, that pipe prints exactly the matching object. If it is not present, jq outputs nothing and the script exits cleanly — easy to wire into a shell pipeline that filters a list of domains.

Confirm a Single Technology with /check

When you only care about one technology, the /check endpoint is more direct than /analyze. It runs the same detection but answers a yes/no question with a ?tech= parameter, so you do not have to filter the array yourself:

curl -s "https://detectzestack.p.rapidapi.com/check?url=https://example.com&tech=Laravel" \
  -H "x-rapidapi-key: $RAPIDAPI_KEY" \
  -H "x-rapidapi-host: detectzestack.p.rapidapi.com"

The response is a compact object built for exactly this question:

{
  "domain": "example.com",
  "technology": "Laravel",
  "detected": true,
  "confidence": 100,
  "version": "",
  "categories": ["Web frameworks"],
  "response_ms": 1187,
  "cached": false
}

The tech match is case-insensitive, and the returned technology field is the canonical name from the detector, so you can pass laravel and still get back Laravel. When the framework is absent, detected is false.

Reading the JSON Response

A few fields on the Laravel entry are worth understanding before you build on them:

• confidence — an integer from 0 to 100. A cookie-based Laravel match is a strong, unambiguous signal and reports 100.
• source — where the signal came from. For Laravel this is "http", because the laravel_session cookie lives in the HTTP response headers.
• version — usually an empty string for Laravel. The framework does not expose its version in the session cookie or default headers, so unlike a JS library loaded from a versioned CDN path, the Laravel version is generally not detectable from the outside. Treat an empty version here as "present, version not externally visible," not as "absent."
• cpe — the CPE identifier (cpe:2.3:a:laravel:laravel:...), which security teams can map to vulnerability databases. See CPE identifiers explained for how to use this for CVE matching.
• categories — Laravel lands in Web frameworks. The top-level categories map lets you pull every framework on a page in one read.

The top-level response_ms and cached fields (note: not inside meta) tell you how long the scan took and whether it was served from cache. The meta object carries only status_code, tech_count, and scan_depth.

Detecting Laravel at Scale with Batch Analysis

The single-site call does not scale to a prospect list of thousands. For that, loop a list of domains through /check or /analyze and collect the hits. A minimal shell pattern that prints every Laravel site from a file of domains:

while read -r domain; do
  result=$(curl -s "https://detectzestack.p.rapidapi.com/check?url=https://$domain&tech=Laravel" \
    -H "x-rapidapi-key: $RAPIDAPI_KEY" \
    -H "x-rapidapi-host: detectzestack.p.rapidapi.com")
  detected=$(echo "$result" | jq -r '.detected')
  if [ "$detected" = "true" ]; then
    echo "$domain	Laravel"
  fi
done < domains.txt

If you would rather pull the whole stack per domain (database, CDN, analytics, JS framework, and Laravel together) so you only spend one request each, call /analyze and filter client-side. For high-throughput patterns, connection reuse, concurrency, and quota management, see Batch Scan 1,000 Websites for Tech Stack. The same approach underpins tech-detection lead enrichment when you are building targeted prospect lists.

Common Pitfalls and False Positives

Three situations regularly trip up Laravel detection. Recognizing them keeps your inventory honest.

Renamed or Disabled Session Cookies

Laravel lets you rename the session cookie in config/session.php (the cookie option), and some teams do so to reduce fingerprinting. When the cookie is renamed, the default laravel_session signal will not fire. Detection then falls back to softer signals (the CSRF meta tag, Livewire/Inertia markers, the PHP header), none of which is as reliable. A hardened Laravel site can legitimately come back as "PHP detected, framework unknown."

XSRF-TOKEN Alone Is Not Proof

The XSRF-TOKEN cookie name is conventional in the Laravel/Axios world but is not exclusive to Laravel — other stacks have adopted the same name for client-readable CSRF tokens. If you see XSRF-TOKEN without laravel_session, treat it as a hint, not a confirmation. The detector weights laravel_session as the primary signal for exactly this reason.

Cookies Set Later in the Flow

If you fetch only the home page and it is fully cached at a CDN edge, the origin's Set-Cookie may never reach you. Some apps only start a session on a route that touches it (login, a form, a dashboard). When a top-level scan comes back empty but you suspect Laravel, try a route that requires session state. This is one reason an API that follows redirects and handles these cases is more dependable than a single manual curl against the root URL.

Conclusion and Next Steps

Detecting Laravel on a single site comes down to one reliable signal: the laravel_session cookie in the HTTP response, usually alongside XSRF-TOKEN. A quick curl -sI ... | grep -i set-cookie answers the question for one URL. Softer signals — the CSRF meta tag, Livewire and Inertia markers, the Whoops error page, and the PHP X-Powered-By header — help when a site has renamed its session cookie.

Detecting it across a portfolio takes one HTTP call per domain to /analyze or /check, which runs the same cookie-and-header detection and returns Laravel in the Web frameworks category as structured JSON, with PHP usually riding along. From there, the same call gives you every other piece of the stack: database, CDN, analytics, JavaScript framework, and more — one quota, one response shape, every technology in one shot.