Sadly nly is right. The only other option to change this is the ngx_headers_more module, but that still requires a rebuild. I suppose that way you at least get a little more functionality for your troubles.

You also need that module to do per URI/path/regex match headers properly, because add_header + location blocks are woefully insufficient thanks to the way they are processed. This is one reason I gave up on CSP under nginx.

Server: header makes people gone mad?

It wastes space, and reveals unnecessary information about your server infrastructure.

As if turning it off helps. Nginx is so popular, attackers would just try Nginx-specific exploits right after trying Apache ones even if they don't know for sure whether you are running Nginx.