Hide Laravel from Wappalyzer

Laravel, Quick Tip

Since a few years everyone seems to be using Laravel for about everything. That is completely understandable, as it provides some great features. The only downside is that when there is a (security) bug this is easily exploited. Sites and plugins like Wappalyzer collect and sell data about websites. If there is a bug in Laravel it is for an attacker easy to buy a list with websites from Wappalyzer and do an automated attack. For this reason it is a good idea to hide the fact that you are using Laravel from Wappalyzer. It is relatively easy to do this, but it may affect your existing users.

The source code of Wappalyzer is public available, so we can check how Wappalyzer knows that we are using Laravel. Simply open the list and check for Laravel. You will find this line. Which is basically telling us that Wappalyzer is checking for a cookie named laravel_session.

Luckily for us, this is an easy change. Open the file config/session.php and look for the line that starts with cookie. You will see this has the value laravel_session. Change it to something of your liking. Make sure you comply with the cookie name rules.

There is only 1 downside to this: The moment you put this in production, everyone will be logged out, as the data in the old cookie is no longer being read anymore.

Wappalyzer cache

After changing the cookie name it is possible that Wappalyzer still sees your application as a Laravel application. This is because Wappalyzer caches its results. You can avoid this by appending a fake paramater to the url:

http://localhost/myroute?param=test
http://localhost/myroute?param=test&tmp=3423

This way you forces Wappalyzer to check the site again, and it will no longer see Laravel.