Report Server, X-Powered-By, X-AspNet-Version and X-AspNetMvc-Version
headers, whose presence leaks the server/framework stack. Server only
warns on informative values (version/product detail), accepting a
non-informative value per OWASP.
Absent is now OK (OWASP recommends leaving it unset or set to 0),
and filtering mode (bare 1 or 1; report=...) is Warn since selective
script rewriting can itself introduce XSS. 1; mode=block stays Info.
