Ask HN: Why do web servers still reveal their type and version in headers?
Isn't that inviting bad actors to scour the web for servers with just the right vulnerability?
What's to gain by revealing that? There is no need to reveal this today. Long ago most daemons would advertise what they were and their version in the event clients might need to negotiate around specific behaviors, quirks or bugs. In NGinx one can get rid of this without recompiling by adding the "nginx-mod-http-headers-more" module and adding to nginx.conf: Showing off in crawler stats who is dominate on the internet. Had not thought of that. Here is a survey [1] from October of 2022 or just the graph [2] as that page has some odd CSS menus for me that block half of the page. This page uses an additional source. [3] [1] - https://news.netcraft.com/archives/category/web-server-surve... [2] - https://news.netcraft.com/images/2022/10/wss-share.png If I recall correctly: If you have control over the Apache server, you can install mod_security and use ServerTokens to unset headers. No need to recompile. Some sites may provide a default noscript/basic (x)html web interface.
HAProxy and most load balancer daemons can filter out or replace the Server header. Apache requires a recompile to drop the Server header unless one puts HAProxy in front of it due to the order in how headers are processed. In HAProxy: more_set_headers 'Server: IIS/4.0'; # or whatever
or http-response set-header Server Silly
After making changes one can scan their headers in SecurityHeaders [1] to see what has changed, or use curl: http-response del-header Server
As to why they still display this? Showing off in crawler stats who is dominate on the internet. curl --head https://some.tld/
