Remove "ServerTokens Prod" setting

[creopard]

This setting simply can't be set in .htaccess, but only in httpd.conf file according to Apache's specification:
http://httpd.apache.org/docs/2.2/en/mod/core.html#servertokens
Doing so will just result in an 500 internal error.

The spec's line "Context:" at "ServerTokens Directive" only lists "server config" but not ".htaccess"

[LeoColomb]

That's why there is a warning, right? 😉

server-configs-apache/src/security/server_software_information.conf

Lines 19 to 20 in 18a537b

	# (!) The `ServerTokens` directive will only work in the main server
	# configuration file, so don't try to enable it in the `.htaccess` file!

[creopard]

That's it. Whats the use of a setting when you can't enable it?
Just for documentary purposes?

[LeoColomb]

Honestly I don't know. Related commits are not very verbose.

That say this may be relevant for #1.

[Malvoz]

I don't think h5bp wants to assume a user does or does not have access to the main server configuration file. The current approach informs users with access to the main config file the availability of ServerTokens, and clearly states to not use it if you don't have access.

However (unrelated to ServerTokens but related to comments on main config file), the comment about avoiding .htaccess should also recommend setting AllowOverride to not allow .htaccess because:

When AllowOverride is set to allow the use of .htaccess files, httpd will look in every directory for .htaccess files. Thus, permitting .htaccess files causes a performance hit, whether or not you actually even use them!

https://httpd.apache.org/docs/2.4/howto/htaccess.html#when

[XhmikosR]

Yeah, I'd say this should stay as is for the aforementioned reasons.

[LeoColomb]

Agreed, closing.
@Malvoz Feel free to open a PR to add this recommendation. 👍