Envoy
Envoy is a high-performance service proxy, common as an edge proxy, API gateway or sidecar in modern microservice deployments. ScanMalware detects it from the server: envoy response header.
Envoy in front of a site confirms a proxied, often cloud-native backend, but it reveals nothing about the application behind it — that is what the rest of the scan examines.
Commonly deployed alongside Envoy
Of the 3,523 public scans where Envoy was detected, these are the technologies most often present on the same site. The share is the percentage of Envoy sites that also ran each one.
| Technology | Category | Share of Envoy sites |
|---|---|---|
| HSTS | wappalyzer | 69.45% |
| Cloudflare | wappalyzer | 24.4% |
| HTTP/3 | wappalyzer | 23.38% |
| Cloudflare Bot Management | wappalyzer | 22.87% |
| PoweredBy | miscellaneous | 17.65% |
| Open-Graph-Protocol | miscellaneous | 16.82% |
| MetaGenerator | miscellaneous | 15.83% |
| X-UA-Compatible | miscellaneous | 14.92% |
| Google Tag Manager | wappalyzer | 14.44% |
| OpenSearch | miscellaneous | 11.89% |
| Amazon Web Services | wappalyzer | 11.46% |
| Google Analytics | wappalyzer | 11.43% |
| Google Cloud | wappalyzer | 10.41% |
| Script | miscellaneous | 10.16% |
How ScanMalware detects Envoy
Envoy is detected by analysing the response headers, HTML markup, JavaScript runtime and asset URLs captured when ScanMalware loads the site in a real headless browser.
From any scan you can pivot into related signals — JARM TLS fingerprints, ASN ownership and BGP routing, certificate history, JavaScript analysis and the overall security verdict — to understand not just that Envoy is present, but how it is being used. Open the full search interface for Envoy →
Recent public scans featuring Envoy
A rolling sample of recent public scans where Envoy was detected. Listing a site here is not a safety judgement — open a scan to see its full verdict.
| Site | Scanned |
|---|---|
| Instagram https://ac5k6.r.a.d.sendibm1.com/mk/cl/f/sh/6rqJfgq8dIR6T2FrIH2IQ7sHVcD/1aPOqSh_fzq3 | 2026-06-16 |
| Dropbox - 404 https://photos-thumb.dropbox.com | 2026-06-16 |
| https://r.brevo.etailment.de/mk/cl/f/sh/7nVU1aA2nfwLoblvWZc0hMcWtusK7uA/5vet574q7Qu8 | 2026-06-16 |
| Slack https://intermedia.slack.com | 2026-06-16 |
| https://event.lbkrs.com | 2026-06-16 |
| https://backstory.ebay.fr | 2026-06-16 |
| https://content-nf01.netfortris.com | 2026-06-15 |
| https://api-user.meiyan.com | 2026-06-15 |
Frequently asked questions about Envoy
- Does using Envoy mean a website is unsafe?
- No. Envoy is a stack component, not a verdict. ScanMalware scores the whole page — its scripts, redirects, certificates, threat-intelligence matches and behaviour — so a site using Envoy can be perfectly safe or actively malicious.
- How many sites using Envoy has ScanMalware scanned?
- Envoy has been detected in 3,523 public scans on ScanMalware.com. Each scan is a real headless-browser visit, and the figure updates as new URLs are submitted.
- What technologies are commonly used with Envoy?
- Across scanned sites, Envoy is most often seen alongside HSTS, Cloudflare and HTTP/3. The full co-occurrence breakdown is listed on this page.
Browse all profiled technologies on the technology index, or scan a URL to see its full stack.