Most web servers display its version and modules in use by default. Best security practices recommend that you
disable this option, since it can be misused against your site.
The NIST Guide for Securing Web Servers also recommends it.
This is an example of server banner on Apache with it enabled:
Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/18.104.22.16835 mod_perl/2.0.5 Perl/v5.8.8
As you can see, it leaks not only the Apache version (in this case outdated), but also the modules being used and their versions. The same applies to NGINX and IIS.
Disabling on Apache
To disable server banners on Apache, you will need to edit your httpd.conf and add:
ServerSignature Off ServerTokens Prod
If you are on shared servers, you will need to contact your hosting to do this change for you.
Note that all WAF users are already protected against it.
If you have any questions, please contact our research team at firstname.lastname@example.org.