ServerSignature and ServerTokens are two variables that determine how the Apache server describes itself, which makes it useful to keep some secrets. While obscurity is not security, it’s nevertheless a good idea not to save a potential attacker time by giving them the exact versions of everything you run on your server.
ServerTokens
ServerTokens describe how much information about itself Apache divulges, both in the HTTP headers, and in the signature on server-generated pages, such as errors and directory indexes. Here are the possible settings and example values:
Full: Apache/2.2.3 (Red Hat) mod_ssl/2.2.4 OpenSSL/0.9.7l DAV/2 mod_fastcgi/2.4.2 PHP/5.1.5 mod_jk/1.2.15
OS: Apache/2.2.3 (Red Hat)
Minimal: Apache/2.2.3
Minor: Apache/2.2
Major: Apache/2
ProductOnly: Apache
ServerSignature
This describes how Apache refers to it
self in server-generated pages. Possible values are On, Off or EMail. On will give a message like:
Apache Server at www.example.com Port 80
Where “Apache Server” is the result of the ServerTokens value. Setting ServerSignature to EMail, will give something like (note the mailto link):
Apache Server at www.somerandomstuff.com Port 80
And finally, setting it to Off, will show nothing.