Pretty sure a blackhat with nmap and a few hours would be a lot more effective than trying to glean something from this blogpost.

That's right, any pentester worth anything will know the stack used in a few seconds by looking at cookies or even sometimes just by the login page's url. For ex: different frameworks have different session and csrftoken naming, Rails and Django have recognizable url conventions, and there's always default error pages that usually give away the framework used.

Sharing is caring, be secure not paranoid :)

No - they won't. If you have a very simple front end stack, and application stack or infrastructure sure. But if I'm needing to traverse networks, or only directly get to a database - that's different than some silly nmap script kiddy scan.

Remember it is often easier to penetrate around the gates where everyone is looking (some app stack + OWASP top 10) to instead focus getting inside a network (your dev's laptop, vpn connection, social engineered access, malware to your CEO or sales team, Wi-Fi connection to intercept the VPN tunnels, etc). Or i'm looking for holes in Docker versions to root, Kubernetes flaws, virtual machine dependencies, how many microservices layers do I have to deal with, etc etc.

Security by obscurity?

Sure - telling me whether you have an api.<domain>.com doesn't matter. Anyone can scan and find that. But, if I know your database names (from a screenshot) and your hosting provider, I know that once I'm past a bastion host, or on your VPN connection - I don't have to wait to sniff or hope you connect to datasources. I now have an informed opinion on where to go.

Not a really good idea all by its own.

Absolutely, but a great idea when combined with other defensive tactics. Obscurity is why armies use camouflage.

I've often worried about that; in fact its really kept me from blogging about our infrastructure at all. Am I too paranoid? I've often thought if I were to do so that I'd set up a honeypot; but who has the time for such games?!