How to mask Apache server information during requests?

For example:

curl -k -i --head https://_host._domain._com
HTTP/1.1 302 Found
Date: Wed, 14 Apr 2021 19:10:16 GMT
Server: Apache
Access-Control-Allow-Origin: *
Access-Control-Allow-Method: POST, GET, OPTIONS, DELETE, PUT
Access-Control-Max-Age: 1000

Release : 12.8.7

Component : SITEMINDER SECURE PROXY SERVER

Add these two lines within httpd.conf: 

ServerSignature Off
ServerTokens Prod

"ServerSignature Off" tells Apache not to display the server version on error pages, or other pages it generates.

"ServerTokens Prod" tells Apache to only return Apache in the Server header, returned on every page request.

Apache will have six different ServerToken settings in the configuration:

Full (or not specified) - Server: Apache/2.4.39 (UNIX) PHP/7.0.25
Prod (or ProductOnly) - Server: Apache
Major - Server: Apache/2
Minor - Server: Apache/2.4
Min (or Minimal) - Server: Apache/2.4.39
OS - Server: Apache/2.4.39 (UNIX)

The response is expected based on configuration.

When httpd.conf has set "ServerTokens Prod", then the response will be "Server: Apache".

Omitting a "Server:Apache" response or masking it like "Server:Server" is not an out of box config option.

ServerTokens Directive

To verify the modules built-in with the CA Access Gateway (SPS):

./apachectl -M

Loaded Modules:
 core_module (static)
 so_module (static)
 http_module (static)
 mpm_worker_module (static)
 env_module (shared)
 log_config_module (shared)
 setenvif_module (shared)
 mime_module (shared)
 jk_module (shared)
 alias_module (shared)
 authz_core_module (shared)
 unixd_module (shared)
 slotmem_shm_module (shared)