I've not looked into it but presumably it's because whatever web server framework they are using might not be as bug free and battle tested as dedicated web server application like nginx so by limiting the actual web servers exposure you are limiting the attack surface.
I've not looked into it but presumably it's because whatever web server framework they are using might not be as bug free and battle tested as dedicated web server application like nginx so by limiting the actual web servers exposure you are limiting the attack surface.