Why use this header at all?
This header informs the client (browser) what web server software and potentially the operating system you're running.. This is usually used by the software companies to measure market share, so they have an incentive to maintain this header by forcing header output (Apache / httpd).
Consider the Impact of Compliance section below to see if this recommendation works for you.
Disable this header or minimize its output.
By following this recommendation, what risk is mitigated?
Disabling this header reduces the accuracy of fingerprinting your web server's software, and adds a layer of complexity to an attacker. This increases the chances that you will notice the attacks happening and the ability to react. Disabling also makes deteriming what CVEs apply considerably more difficult.
Impact of Compliance
By using this header, you may expect these changes in your site's functionality
There should be no impact to your site, servers, or third party consumers if you disable the header.
What you can do to get there
Your web server configuration should contain options for disabling this header or minimizing its value to attackers.
What this header may look like when implemented securely
Server: Apache/2.2.3 (CentOS)
This header should be ABSENT
- Cache Control
- Cookie Flags: Secure
- Cookie Flags: HTTPOnly
- HTTP Strict Transport Security (HSTS)
- HTTP Public Key Pinning (HPKP)