Our goal with Cloud Forums is to treat our installation like an enterprise setup and use best practice security when we can.
Discourse is a web application, so it is wide open on two ports. That opens a possible attack surface, although necessary one to deliver web services. We can mitigate many common web attacks by using a Web Application Firewall (WAF). A WAF will block suspicous requests that include SQL injection, XSS, etc.
I think we will probably do a detailed guide in the future, but essentially if you read the forum posts on NGINX and WAF, and follow the steps on this NGINX proxy guide.