Is there any reason to keep the "Server" response header in Apache
My server responds with Server: Apache/2.2.15 (CentOS)
to all requests. I guess that this gives away my server architecture making it easier to hack attempts.
Is this ever useful to a web browser? Should I keep it on?
In my opinion, it is best to mask this as much as possible. It's one of the tool you use to hack a web site - discover its technology, use the known flaws of that technology. The same reason why security best practice a while back started promoting to have urls in the form "/view/page" instead of "/view/page.jsp" or "/view/page.asp"... so the underlying technology would not be exposed.
There are some discussions about this such as https://stackoverflow.com/questions/843917/why-does-the-server-http-header-exist and http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html and obviously Hacking Exposed book.
Also this on the Security SE https://security.stackexchange.com/questions/23256/what-is-the-http-server-response-header-field-used-for
But keep in mind that this is not an end-all to securing your servers. Just one more step in the right direction. It does not prevent any hack to be executed. It just make it less visible as to what hack should be performed.
You can change the Server header if you want, but don't count on this for security. Only keeping up to date will do that, since an attacker can just ignore your Server header and try every known exploit from the beginning of time.
RFC 2616 states, in part:
Server implementors are encouraged to make this field a configurable option.
And Apache did, with the ServerTokens
directive. You can use this if you wish, but again, don't think that it's going to magically prevent you from getting attacked.
Showing the full string, with version information, could leave you at an increased risk from 0day attacks if the attacker has been keeping a list of which servers run what software.
That being said, you shouldn't expect that hiding a server string will protect you from hacking attempts. There are ways to fingerprint a server based on the way responses and errors are reported.
I disable my strings, as far as I can but I don't sweat about the ones I can't hide (e.g. OpenSSH).