FortiWeb can be configured to remove an HTTP header by using a URL Rewriting Policy.

In most cases, details about the server end are set on the headers like 'Server' and 'X-Powered-By', which can be configured on the URL Rewriting Rule as shown below:

The filter of the URL Rewriting Policy/Rule can be the HTTP Host (in this example, Server IP, but in general, a domain name can be used, depending on how the Web Server is accessed).

Notes:

• URL Rewriting Policy/Rule should be applied to the Policy/Web Protection Profile.
• 'Remove Duplicate Headers' to be enabled as some Web Servers return multiple 'X-Powered-By' headers.

CLI commands:

config waf url-rewrite url-rewrite-rule
    edit "Delete_header_server"
        set action http-response-header-rewrite
            config header-insert
            end
            config response-header-insert
            end
            config header-removal
            end
            config response-header-removal
                edit 1
                    set response-removal-header-name Server
                next
                edit 2
                    set response-removal-header-name X-Powered-By
                next
            end
            config match-condition
                edit 1
                    set reg-exp 10.5.22.124
                next
            end
    next
end

Related document:
Rewriting & redirecting