My current application I am working on has following line at response fields:
Server: Microsoft-IIS/6.0
I feel embarrassed. I am thinking about writing http module to cloak this field. However am I little afraid that browsers use this value, in order to achieve maximum performance, to alter some aspects of http implementation. So what can go wrong?
Well, in short: unless the browser is some sort of robot looking for this information (mostly for the bad, you bet) there's nothing bad about deleting it.
This is useful for purposes of statistics, for example, and even some great web services that could just don't use it and save real money (actually, almost nothing for such given company) doesn't do that.
No, the Server field is purely informational, it does not concern the browser at all.
The HTTP Protocol RFC 2616 does not specify any behavior associated with this field:
14.38 Server
The Server response-header field contains information about the software used by the origin server to handle the request. The field can contain multiple product tokens (section 3.8) and comments identifying the server and any significant subproducts. The product tokens are listed in order of their significance for identifying the application.
It does note though:
Revealing the specific software version of the server might allow the server machine to become more vulnerable to attacks against software that is known to contain security holes. Server implementors are encouraged to make this field a configurable option.