Hi Francis,
Thanks for the response.
After reading the documentation, http://wiki.nginx.org/HttpCoreModule#.24host
When the HOST is empty, it's responded with 400 as expected.
I think the argument would come down to whether we trust the value sent by the user.
In both use of $http_host and $host, I think the 3rd curl command is trying to send a custom header whose HOST value is user-defined? I believe that if we compromised the DNS or the network for example, there is a possible way to hijack the nginx servers by modifying the header....
Since $host is a strict version of $http_host, and when it's empty it uses $server_name directive, I believe it's a small bit of extra security layer.... besides gettin rid off the port number in the response?