I am thinking in terms of: Intrusion starts with spotting the user with desired credentials. This way administrator/moderator/team accounts couldn't be targets to any attacks. As such a username (account with ACP access) wouldn't be exposed to the public, whatsoever.
But since many BBs, for many years did well without it, I come around to the first line: "Nice to have".
@mosthated , Most probably your website already in production (hope it's being doing well ). Still, if you'll need to auto-resize the NodeBB embedded in iframe into a host website, try this plugin https://www.npmjs.com/package/nodebb-plugin-iframe-resizable (together with iframe-resizer of course). I wrote it just because I have struggled with exactly the same problem as you.
nginx must be on version 1.4.x to properly support websockets. Debian/Ubuntu uses 1.2, although it will work there will be a reduction in functionality.
Previously, in the same doc:
NGINX version v1.3.13 or greater
I'm not sure if that is just a sign of an outdated doc, or if there is actually some type of incompatibility (which apparently doesn't surface everywhere). All I know is that by reverting to 1.4.x, all functionality was restored.