@PitaJ, @yari, I had hard time with this myself.
It turns out nginx may change the recommended setup from one version to another. Its best to follow:
Latest setup recommendations for security for your nginx version: https://mozilla.github.io/server-side-tls/ssl-config-generator/
Remove exploits by adding into the nginx config file:
https://www.howtoforge.com/nginx-how-to-block-exploits-sql-injections-file-injections-spam-user-agents-etc
HSTS header - it looks as though someone else (nodebb? nodejs?) is inserting this header, so don't include that header in nginx.
Check your site: go to: https://www.ssllabs.com/ssltest/ with the above you should get A+ 🙂