It's expected setting sendServerVersion to false in etc/jetty/jetty.xml should remove the server header from a response, however after doing so, the header it is still present.
<Set name="sendServerVersion"><Property name="jetty.send.server.version" default="true"/>false</Set>
curl -I http://localhost:8081
Adding this property to conf/nexus.properties will remove the Server header from all responses from Jetty that are not directly handled by our application:
For example if our our application is at web context path /nexus and you make a request to /someotherpath instead, you will get a 404 response without any Server header. This feature is preserved for requests not handled by our application.
However, there is no supported way to remove the Server header "Server: Nexus/2.15.1-02" when accessing content served from our application.
Responding with the Server header containing our product name and version is considered by us a valuable effect for debugging and tracing purposes and we have decided so far we do not wish to change. So far, removing the header by justifying it as "security through obscurity" is not outweighing the benefits we observe by retaining it.
There is also no ability to completely remove the server header inside our application. Instead we recommend that removal of this header be done at a reverse proxy server level if needed by your organization.