Follow
For practical operational security you definitely don't want to rely on HTTP headers because it's just the outer layer. Behind the Nginx you can have a whole bunch of other reverse-proxies, caches and microservices that can be vulnerable too.
You want to look at operating system package versions for things like Nginx and at all the dependencies of your application stack, such as Python packages in my case.