In a normal Apache installation, your config-file will look like this.
# # ServerTokens # This directive configures what you return as the Server HTTP response # Header. The default is 'Full' which sends information about the OS-Type # and compiled in modules. # Set to one of: Full | OS | Minor | Minimal | Major | Prod # where Full conveys the most information, and Prod the least. # ServerTokens Full # # Optionally add a line containing the server version and virtual host # name to server-generated pages (internal error documents, FTP directory # listings, mod_status and mod_info output etc., but not CGI generated # documents or custom error documents). # Set to "EMail" to also include a mailto: link to the ServerAdmin. # Set to one of: On | Off | EMail # ServerSignature On
This will produce the following default error-message (ie: when a .htaccess creates an error).
Internal Server Error
…
Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 Server at [servername] Port 80
For a production server, that’s quite a bit of information you’re giving away there – especially the exact version-number of the OS & Apache, which could expose potential leaks/unpatched bugs.
It’s better to change this to:
# ... ServerTokens Prod # ... ServerSignature Off
This will remove the last line of the error-message, where the Apache & OS-version are shown – thus increase your security.
It’s of course 100x more important to keep your software up-to-date, but hiding the version you’re using could help – even if it isn’t by much.