The point of stripping Date and Last-modified headers is that HTTP fingerprinting tools look at things like header order, the formatting of dates and times, etc.
The Date and Last-Modified headers exist as an integral part of HTTP/1.1, and removing and/or fiddling with them isn't a good idea protocol wise.
The ServerTokens directive currently can at best be set to Prod, which will cause it to return "Apache".
Anyhow, how about a patch that just allows ServerTokens to be set to "None" and gets rid of just the Server header?
Because this is simply security through obscurity. A server with an exploit is still exploitable regardless of whether it returns a server header or not. Rather ensure your software is patched up to date at all times.
I believe that playing with or removing these headers is a waste of time.
Regards,
Graham
--
-----------------------------------------
[EMAIL PROTECTED] "There's a moon
over Bourbon Street
tonight..."