When setting up a HTTP server, I always strip any sensitive information from the HTTP response sent out by the server instance. For example, the HTTP response of  your average site may look something like this:

HTTP/1.1 200 OK
Content-Type: text/html
Accept-Ranges: bytes
ETag: "000000000"
Last-Modified: Mon, 13 Dec 2008 13:37:00 GMT
Date: Mon, 13 Dec 2008 13:37:00 GMT
Server: lighttpd

You’ll notice the last header, identifying the HTTP server software name. In this case, I only stripped out the version of lighttpd.

Imagine if I was running version X of Apache when the world finds out there’s an unpatched vulnerability in that specific version. Should my server not filter the above header, it would be a small thing for potential intruders to identify my machine as vulnerable.

Now, you might be thinking about setting the value of the header to something completely different from what you’re running. Of course, that’s fine and might be a smart move.  But be aware, should you do so, you will be throwing off not only snooping geeks but also mask the true software serving your site, meaning statistics-gathering bots checking on web server software usage will be just as confused.

Anyway, Apache HTTPd uses the ServerTokens directive. In case you’re running lighttpd, a simple server.tag = "Foo" would do the trick in the configuration file.