We have a website that is built on Silverstripe / PHP / Apache Tomcat. For all valid requests, the redirections for Page not found and backend not available are working fine which are configured in .htacess.
Incase of invalid requests (there are some URLs generated by Silverstripe I guess), the redirection to error pages doesn't happen. In such case Apache Web Server Signature is displayed on the browser which can be used by an attacker to launch further attacks on the application.
We have tried below settings but no luck
In Apache Config file:
ServerSignature Off
ServerTokens Prod
Happy to share more details if required.
Thanks!