I wonder if it is a good and consistent way to currently:
hide the nginx version information from replies in header, but
display the exact version and git patch level in html source code of Discourse
If someone has an automated tool searching for unpatched security issues, it is failry easy if the HTML source displays the version in the meta generator tag.
I would suggest to remove that information from anonymous requests at least, perhaps even from all non admin accesses.
I consider this “security by obscurity” which is no real kind of security at all. It’s better to focus efforts on techniques that actually improve security…