I usually don’t disable apache, php, nginx headers because to me that is just security through obscurity.
My thoughts are this…..
- if someone doesn’t know what version of software you are running and they decide to hack your domain or server, they will simply throw every public exploit at it that exists for said product or even simply “fingerprint” it for the correct version
- It makes my life easier because I can also query for those headers if for some reason I don’t remember the version of software (which saves me from logging in to the server or using other methods that might take longer – efficiency is key!)
- skiddies are going to throw everything at it anyways
On the flipside…..