Insecure HTTP headers

During our security review we figured out that.
Response header is exposing technology used:

server:nginx

Strict transport layer security and other headers are missing:

Strict-Transport-Security:max-age=15552000; includeSubDomains
X-DNS-Prefetch-Control:off
X-XSS-Protection:1; mode=block

The HSTS header should be there although at this time it does not include the sub-domains option. In relation to the other situations you should update the question with the relevant endpoints that you tested and where you observed each behavior.