remove/change the "server" response header or at least remove the version number
also remove or change X-Generator or X-Powered-By etc. response headers, I'm sure there are tons of other ways to find out the CMS/framework or whatever is behind the generated code, but why not making it a little bit harder? :)
Also make sure to replace/remove the default host html. Point an nonexisting vhost/domain to your web server. It should probably return some 4-- error or a blank page, but not the default "It works!" kind of page.
Check session for jailbreak in case of session being stored on disk or for mysql injection in case of storing session in mysql and so on. Never trust the user :)
If you have some other things you check on your pages, please, share it.