Apache has no built-in priority system for config files. What makes this work is the IncludeOptional directive: it expands globs in alphabetical order. For directives like ServerTokens that take a single value, the last definition Apache reads wins.
On Debian, apache2.conf ships with IncludeOptional conf-enabled/*.conf. The same approach works on any distribution that uses IncludeOptional with a glob.
You can use this to override values from Debian’s default security.conf without touching it, so your changes survive package upgrades.
Create the Override File
Write Your Overrides
Enable and Reload
The zzz- prefix guarantees the file loads after security.conf. Even if a package update resets security.conf to Debian’s default ServerTokens OS, your override still wins.
Verify
Force a conflict by temporarily setting ServerSignature On and ServerTokens OS in security.conf, then reload Apache and check:
The response should still show Server: Apache (no version), proving that zzz-security-override.conf takes precedence.