nginx: How To Block Exploits, SQL Injections, File Injections, Spam, User Agents, Etc. HSTS header - it looks as though someone else (nodebb? nodejs?) is inserting this header, so don't include that header in nginx.
Check your site: go to: https://www.ssllabs.com/ssltest/ with the above you should get A+ 🙂