I have been trying to disable the server signature for a while, but I found that turning off the ServerSignature directive didn’t work for all servers. The signature might read something like:
Apache/2.2.X (Ubuntu) mod_ssl/2.X.X OpenSSL/0.X.X
If your server exposes this information, it’s easier for an attacker to compromise a system based on flaws in a particular server software version (especially if your server software is allowed to become outdated, or your distribution is slow to release security updates). By default, it will display this on error pages in plain text, and also present it as a Server header on every request.
To disable completely, you should set the following directives in your Apache configuration:
ServerSignature Off ServerTokens Prod