Using curl -v against your site you can easily check the headers being returned from your nginx server. To see only the HTTP exchange without the actual HTML content you can send the output to /dev/null:
curl -v https://yoursite.com -o /dev/null
By default my site is returning:
< Server: nginx < Date: Sat, 29 Jul 2017 20:12:10 GMT < Content-Type: text/html; charset=UTF-8 < Transfer-Encoding: chunked < Connection: keep-alive < Link: <https://www.kevinhooke.com/wp-json/>; rel="https://api.w.org/" < Link: <https://wp.me/91fMZ>; rel=shortlink
To add additional headers, such as XSS prevention headers:
X-XSS-Protection: 1; mode=block
Edit your nginx.conf and add to your server { } block:
add_header X-XSS-Protection "1; mode=block";
To hide X-Powered-By headers if you are using fastcgi (see here), add:
fastcgi_hide_header X-Powered-By;