[justinclift]

While it kind of is security by obscurity, it's a very basic piece of server hardening to stop telling potential attackers what software you're using (within reason).

Back in the day (!), server software used to honestly respond with things like the software name and exact version number it was running.

Naturally, that meant scanning for vulnerabilities was a lot easier than it needed to be.

[TylerE]

All security is by obscurity. Some is useful.

[cies]

Not true. There are some real cryptographic realities that are based in "open" math principles.

There's also the way of most using runtimes/libraries that (constantly) have CVEs in them; and understanding why it is that these languages have CVEs in the first place (see my comment on "eval()").

[justinclift]

Also, the overly muscled guys out the front of night clubs aren't there for "obscurity" type security. ;)

[TylerE]

A cryptographic key is an obscured secret.