Please see security overview in the documentation for an overview of security features--please let me know if the documentation doesn't answer your questions above?
Also, I wondered if you could share more about your requirements--are they requirements from internal security policy or external regulators (or both)?
Just curious, since SSL with NGINX seems to work for most users...