The first thing an attacker will try to figure out is what web server you are running, and the language it is written in. Many web servers describe this information in HTTP headers, which is great advertising for the web server vendor, but bad news for you.
HTTP response from Apache 1.3.23Server: Apache/1.3.23
Accept-Ranges: bytes
Content-Length: 196
Connection: close
Content-Type: text/htmlHTTP response from Microsoft IIS 5.0Server: Microsoft-IIS/5.0
Content-Type: text/html
Accept-Ranges: bytes
ETag: "b0aac0542e25c31"
Content-Length: 7369