Why and when to omit server header from HTTP response?

Question

I will probably work on project for abc.com hosted under xyz.abc.com. When I visit xyz.abc.com, the response contains the server header and I can know that it is Apache2 running on Ubuntu OS (Apache/2.2.22 (Ubuntu)). But when I visit abc.com and navigate on it, there is no server header in any of the responses.

Any explanations on this behaviour?

Is the server header presence controllable via Apache configuration or via programming ( in PHP it is possible to set last-modified for example)? if it is via directive, it means there are different instances of Apache for the separate domains (one is configured to return the header and the other one is configured to hide it)?

Or it is possible to use Ubuntu/Apache2 for xyz.abc.com and completely different technology stack for abc.com? what is the name of this technique?

Could you please explain the different possibilities for a newbie? thank you in advance.

Answer 1

Regarding httpd, there is no option to remove the Server response header by official means.

Officially the most you can do through configuration is to set these directives:

ServerTokens Prod
ServerSignature off

With this, your Server response header will just say "Apache". And this is the most recommended thing to do.

Although if you have some paranoid audit which insists on having you remove the header completely, you have some "third-party" methods, the most well-known, at lease for me, is using "mod_security".

There is a third option, that is to modify Apache HTTPD source code yourself and compile it so it will not add the response header, but I doubt anyone would recommend you to do that.

In any case and answering your main question, removing that header does not really add any security to your server, so there is really no reason to remove it.