How to Tell If a Website Uses Imperva (Incapsula)
Imperva (formerly Incapsula) is an enterprise WAF and CDN. Detect it via the X-Iinfo and X-CDN: Incapsula response headers, incap_ses / visid_incap cookies and _Incapsula_Resource scripts.
Imperva — whose cloud-security product was long known as Incapsula — is an enterprise WAF, CDN and DDoS-protection platform protecting high-value and high-traffic sites. Because its network sits in front of the origin, detecting it is mainly about reading HTTP response headers and cookies: look for the X-Iinfo header, X-CDN: Incapsula, and incap_ses_/visid_incap_ cookies. This guide covers every reliable signal, how the cloud WAF works, the other enterprise WAFs and CDNs to distinguish it from, and what Imperva usage tells you about the scale and security maturity of the organisation behind the site.
What is Imperva (Incapsula)?
Imperva is a cybersecurity company whose cloud application-security service — historically branded Incapsula — provides a Web Application Firewall, a global CDN, DDoS protection, and bot management. Like other cloud WAFs, it works as a reverse proxy: the site's DNS is pointed at Imperva, so all traffic flows through Imperva's network first, where attacks and malicious bots are filtered, DDoS floods are absorbed, and content is accelerated, before clean requests reach the origin. Imperva targets the enterprise — it is common on finance, large ecommerce, gaming, government and high-traffic sites with serious security and availability requirements.
For detection, the key context is that Imperva is an enterprise security investment, so finding it signals a larger, well-resourced organisation protecting high-value assets. Because the WAF is in the request path, it stamps its presence on the HTTP responses and sets cookies, making it detectable from headers and cookies alone, without on-page markup. Its presence tells you the site is defended against DDoS and application attacks at an enterprise level — a strong signal of organisational scale.
How Imperva sits in front of a site
As a reverse proxy, Imperva's Incapsula network adds its own response headers and cookies to the traffic it serves. The most telling header is X-Iinfo — a diagnostic header carrying internal request and node information, unique to Imperva — often accompanied by X-CDN: Incapsula. For session and visitor management (and bot detection), Incapsula sets cookies prefixed incap_ses_<id> (session) and visid_incap_<id> (visitor ID). When Imperva needs to challenge a suspicious visitor (a JavaScript or interactive check), it serves an interstitial that may inject a script referencing _Incapsula_Resource, and outright blocks show an Incapsula-branded page.
This header-and-cookie footprint means Imperva is detected like other cloud WAFs — from the network response, not on-page scripts (except on challenge pages). Knowing this — the X-Iinfo and X-CDN: Incapsula headers, the incap_ses_/visid_incap_ cookies, and the _Incapsula_Resource challenge scripts — makes detection a matter of inspecting headers and cookies.
How to tell if a website uses Imperva
Confirm at least one strong signal (an Imperva header or cookie suffices).
1. Read the response headers. Open the Network tab, click the main document, and inspect its response headers. X-Iinfo (and often X-CDN: Incapsula) confirm Imperva.
2. Inspect cookies. Look for incap_ses_<id> and visid_incap_<id> cookies set as traffic passes through Incapsula.
3. Watch for challenge pages. A JavaScript or interactive challenge that references _Incapsula_Resource, or an Incapsula-branded block page, is definitive.
4. Check assets. Headers on assets routed through Imperva's CDN also carry the markers, corroborating the finding.
5. Use a header-inspection tool. Any tool showing raw response headers reveals the X-Iinfo header.
What the Imperva signals look like
Response headers (main document):
X-Iinfo: 9-12345678-12345679 NNNN RT(...) q(...) r(...) ...
X-CDN: Incapsula
Cookie: incap_ses_1234_567890 = "…"
Cookie: visid_incap_567890 = "…"
// Challenge page may reference: /_Incapsula_Resource?...
Any of the X-Iinfo/X-CDN: Incapsula headers or incap_ses_/visid_incap_ cookies — or a _Incapsula_Resource challenge — is conclusive.
Imperva versus other WAFs/CDNs — avoiding false positives
Match the headers and cookies to keep security proxies distinct. Imperva uses X-Iinfo/X-CDN: Incapsula and incap_ses_/visid_incap_ cookies; Sucuri uses Server: Sucuri/Cloudproxy and X-Sucuri-* headers; Cloudflare uses Server: cloudflare and cf-ray; Akamai uses X-Akamai-* headers and reference-error pages; AWS WAF/CloudFront uses x-amz-cf-id and Via: ... cloudfront. Each leaves distinct signals. The X-Iinfo header and the incap-prefixed cookies are unique to Imperva. As with all cloud WAFs, the evidence is in the response headers and cookies, not on-page markup (except challenge pages) — so always inspect the network response.
How reliable is each Imperva signal?
The X-Iinfo header is definitive — it is unique to Imperva — as are the incap_ses_/visid_incap_ cookies and the _Incapsula_Resource challenge references. X-CDN: Incapsula is equally conclusive. The weakest situation is a configuration that strips some diagnostic headers, but the incap cookies are typically still set, and a challenge (if triggered) is unmistakable. As a rule, inspecting the main document's response headers and cookies settles it; an X-Iinfo header or an incap_ses_ cookie confirms Imperva.
What Imperva usage reveals about a site
Finding Imperva is a strong enterprise signal. Because Imperva is a premium, enterprise-grade security platform, its presence indicates a larger, well-resourced organisation protecting high-value or high-traffic assets — finance, large ecommerce, gaming, government, media and big B2B are typical. It tells you the site has serious requirements around DDoS protection, application security and availability, and a budget to match. If you sell enterprise security, performance, or related services, an Imperva site marks a high-value, security-mature account with a relevant buying centre. Its presence also tells you the site's traffic flows through Imperva's network, which is relevant for performance and architecture analysis. Compared to SMB-oriented tools like Wordfence or even Sucuri, Imperva specifically signals enterprise scale.
What finding Imperva means for sales, agencies and competitive research
For sales and prospecting, Imperva is a high-value enterprise qualifier — it marks a large organisation with security budget and serious requirements, a fit for enterprise security, performance and infrastructure services.
For agencies and consultants, finding Imperva tells you the client operates at enterprise scale with a dedicated security function, so engagements are necessarily enterprise-grade — architecture, performance behind the WAF, and integration with broader security tooling.
For competitive and market research, Imperva adoption indicates which competitors operate at enterprise scale with premium protection. Spotting it suggests significant traffic and security investment, useful when benchmarking organisational maturity and infrastructure.
Imperva in the wider stack
Imperva sits in front of the site as an enterprise security-and-delivery proxy, shaping the entire request flow. Behind it you will typically find an enterprise application stack, often an enterprise CMS or custom build, enterprise analytics, and a broader security toolset (Imperva also offers database and API security, which may be present server-side). Because Imperva provides CDN and DDoS protection, it is a core part of the site's performance and availability layer. For an auditor, the valuable details are the Imperva headers and cookies (confirming the WAF/CDN), the enterprise application stack behind it, and how the WAF affects performance; together these confirm an enterprise-scale, security-invested organisation and its protection architecture. It is also worth remembering that the browser only ever sees the edge of an Imperva deployment; behind the WAF, the same vendor often provides database security, API protection and data-loss prevention, so a single X-Iinfo header can be the visible tip of a much broader enterprise security investment.
A quick Imperva confirmation walkthrough
Open the site with developer tools on the Network panel and click the main document. Open its Headers and read the response headers for X-Iinfo and X-CDN: Incapsula. Open the Application panel and check cookies for incap_ses_<id> and visid_incap_<id>. If you encounter a JavaScript challenge or block, look for a _Incapsula_Resource reference or Incapsula branding. Check a couple of assets for the same headers. Any X-Iinfo header or incap-prefixed cookie confirms Imperva is protecting the site.
A quick Imperva detection checklist
- Read the main document's response headers for
X-IinfoandX-CDN: Incapsula— conclusive. - Check cookies for
incap_ses_<id>andvisid_incap_<id>. - Watch for a
_Incapsula_Resourcechallenge script or Incapsula-branded block page. - Check assets for the same Imperva headers as corroboration.
- Note the enterprise application stack behind the WAF.
- Distinguish Imperva (
X-Iinfo) from Sucuri (X-Sucuri-*) and Cloudflare (cf-ray).
Detecting Imperva at scale
Checking one site is quick, but mapping enterprise-WAF adoption across many domains — to identify large, security-invested organisations — calls for automation. StackOptic detects Imperva (Incapsula) and thousands of other technologies from a real browser, reading response headers and cookies so it identifies enterprise security proxies reliably. Because Imperva so specifically marks enterprise scale, a market-wide scan for it — alongside peers like Akamai and enterprise Cloudflare — is an efficient way to build a list of the largest, most security-invested organisations in a sector, exactly the accounts enterprise security and infrastructure vendors most want to reach. For related reading, see our guides to HTTP security headers and telling if a website uses Cloudflare or another CDN, and the full Imperva technology profile.
Frequently asked questions
What is the fastest way to tell if a site uses Imperva?
Open the Network tab, click the main document, and read its response headers. Imperva's Incapsula WAF adds an X-Iinfo header (and often X-CDN: Incapsula). You can also check cookies for incap_ses_ and visid_incap_ prefixes. Any of these confirms Imperva.
What is the X-Iinfo header?
X-Iinfo is a diagnostic response header added by Imperva's Incapsula network, containing internal request and node information. Its presence is a definitive, characteristic Imperva signal, since no other product uses that header. It appears on responses served through the Incapsula WAF/CDN.
What are the incap_ses and visid_incap cookies?
Imperva's Incapsula sets cookies prefixed incap_ses_ (session) and visid_incap_ (visitor ID) to manage sessions and bot/visitor identification as traffic passes through its network. Spotting these incap-prefixed cookies is a strong, characteristic Imperva signal alongside the headers.
What is the _Incapsula_Resource script?
On challenge or interstitial pages, Incapsula may inject a script referencing _Incapsula_Resource (used for its JavaScript-based bot/human checks). Encountering a _Incapsula_Resource reference, or an Incapsula-branded challenge page, is a definitive Imperva signal.
What does it mean if a site uses Imperva?
Imperva (Incapsula) is an enterprise-grade WAF, CDN and DDoS-protection platform. Finding it signals a larger organisation protecting high-value or high-traffic sites — common in finance, enterprise, gaming and ecommerce — with serious security and availability requirements.
Analyse any website with StackOptic
Get the full technology stack, performance, security and SEO report in seconds — free.
Analyse a websiteRelated articles
How to Tell If a Website Uses Heap
Heap (Heap Analytics) autocaptures product events. Detect it via the cdn.heapanalytics.com script, the global heap object, heapanalytics.com beacons and _hp2 cookies.
How to Tell If a Website Uses Foundation
Foundation (by Zurb) is a responsive front-end framework. Detect it via its grid classes (row/columns, grid-x/cell), data-* component attributes and the foundation.css/js files.
How to Tell If a Website Uses Crisp
Crisp is a developer-friendly, affordable live-chat and messaging tool. Detect it via the client.crisp.chat/l.js script, the window.$crisp object and the CRISP_WEBSITE_ID value.