from Hacker News

Ask HN: Why do web servers still reveal their type and version in headers?

by johnsanders on 10/21/22, 10:25 AM with 5 comments

Isn't that inviting bad actors to scour the web for servers with just the right vulnerability? What's to gain by revealing that?

by LinuxBender on 10/21/22, 12:52 PM
There is no need to reveal this today. Long ago most daemons would advertise what they were and their version in the event clients might need to negotiate around specific behaviors, quirks or bugs.
In NGinx one can get rid of this without recompiling by adding the "nginx-mod-http-headers-more" module and adding to nginx.conf:
```
    more_set_headers 'Server: IIS/4.0'; # or whatever
```
HAProxy and most load balancer daemons can filter out or replace the Server header. Apache requires a recompile to drop the Server header unless one puts HAProxy in front of it due to the order in how headers are processed. In HAProxy:
```
    http-response set-header Server Silly
```
or
```
    http-response del-header Server
```
After making changes one can scan their headers in SecurityHeaders [1] to see what has changed, or use curl:
```
    curl --head https://some.tld/
```
As to why they still display this? Showing off in crawler stats who is dominate on the internet.
[1] - https://securityheaders.com/
by sylware on 10/21/22, 11:05 AM
Some sites may provide a default noscript/basic (x)html web interface.