How to remove HTTP Server "Apache"?

Question

For security reason, i need remove(yes!, really I need remove, delete or hide) Apache signature.

I use ServerSignature n' ServerTokens directives, but only hide the version...

ServerSignature Off
ServerTokens Prod

The results is:

Name                :Value
Date                :Mon, 15 Jun 2015 11:47:28 GMT
Content-Encoding    :gzip
Last-Modified       :Sun, 14 Jun 2015 00:01:37 GMT
Server              :Apache
ETag                :"6176c-28f4-5186f0b8c3bb0"
Vary                :Accept-Encoding,User-Agent
Content-Type        :text/xml; charset=utf-8
Cache-Control       :max-age=1
Accept-Ranges       :bytes
Content-Length      :1531
Expires             :Mon, 15 Jun 2015 11:47:29 GMT

Look this

Server              Apache

I need(without http header "Server:Apache"):

Name                Value
Date                Mon, 15 Jun 2015 11:47:28 GMT
Content-Encoding    gzip
Last-Modified       Sun, 14 Jun 2015 00:01:37 GMT
ETag                "6176c-28f4-5186f0b8c3bb0"
Vary                Accept-Encoding,User-Agent
Content-Type        text/xml; charset=utf-8
Cache-Control       max-age=1
Accept-Ranges       bytes
Content-Length      1531
Expires             Mon, 15 Jun 2015 11:47:29 GMT

Thanks!

I am very sorry Apache team, but this time can't show your signature.

Answer 1

The core distribution doesn't allow it to be removed. It's trivial to do in a plugin. mod_security allows you to configure it to be stripped.

Answer 2

This should be a comment, but it's a bit long....

For security reason, i need remove...Apache signature - even from the data other than the Server header it is blatantly obvious that this is an Apache server (or something doing a very good impression of one).

As per discussion on security.stackexchange I do not believe that there is any security benefit in removing banners from your software. In addition to the information in your headers I could also determine this from the default error messages, how the server handles content negotiation, conditional requests, .... every time I look at a related issue, the list gets longer.

I've yet to see any evidence that disabling banners had any impact on a sites security (as opposed to allowing an auditor to tick a box in a checklist). But if anyone can provide a reference I would be very interested to hear.