Most web servers display its version and modules in use by default. Best security practices recommend that you
disable this option, since it can be used to find vulnerabilities of your site.
The NIST Guide for Securing Web Servers also recommends it.
Here is an example of a server banner on Apache with it enabled:
Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/188.8.131.5235 mod_perl/2.0.5 Perl/v5.8.8
As you can see, it leaks not only the Apache version (in this case outdated), but also the modules being used and their versions. The same applies to NGINX and IIS.
Disabling on Apache
To disable server banners on Apache, you will need to edit your httpd.conf and add:
ServerSignature Off ServerTokens Prod
If you’re on a shared server, you will need to contact your hosting provider to request they make the necessary change.
Note that all WAF users are already protected against this.
If you have any questions, please contact our research team at firstname.lastname@example.org.