I wonder if it is a good and consistent way to currently:
- hide the nginx version information from replies in header, but
- display the exact version and git patch level in html source code of Discourse
If someone has an automated tool searching for unpatched security issues, it is failry easy if the HTML source displays the version in the meta generator tag.
I would suggest to remove that information from anonymous requests at least, perhaps even from all non admin accesses.