Problème de cache Drupal 7

Salut,

Sur un site Drupal 7 hébergé sur un serveur Xenial qui a un lamp et un nginx en front (hosting) j’ai un souci pour avoir un cache bien frais. Mes changements sur le security kit de Drupal ne sont pas pris en compte (normalement on a une note de A avec ce site)

Sur le serveur, j’ai également APC activé (via les dépôts) et un module sur Drupal qui s'appelle Boost. Mais normalement j’arrive à vider les caches de Drupal via un drush cc all, et je peux le reconstruire ensuite avec un spider http :
drush8 cc all && drush8 --uri=https://www.publicitem.pro hss node

On m’a dit que visiblement j'avais un problème de cache, à la vue de ces deux commandes :

curl -SLIXGET https://www.publicitem.pro/
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 17 Feb 2019 18:11:40 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 51992
Connection: keep-alive
Keep-Alive: timeout=60
X-Content-Type-Options: nosniff
ETag: "cb18-5821a0880dbd1"
Accept-Ranges: bytes
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Sun, 19 Nov 1978 05:00:00 GMT
X-Cached-By: Boost

curl -SLIXGET https://www.publicitem.pro/?cachebust=$(date +%s)
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 17 Feb 2019 18:10:47 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
X-Content-Type-Options: nosniff
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' *.google.com code.jquery.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' code.jquery.com cdn.rawgit.com static.addtoany.com secure.skypeassets.com *.skype.com google-analytics.com *.gstatic.com *.google.com cdn.ampproject.org; object-src 'self' 'unsafe-inline' 'unsafe-eval' *.google.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com static.addtoany.com *.skype.com  *.google.com code.jquery.com; img-src 'self' 'unsafe-inline' 'unsafe-eval' data: secure.skypeassets.com *.google-analytics.com stats.g.doubleclick.net *.google.com; media-src 'self'; frame-src 'self' static.addtoany.com www.google.com www.youtube.com www.dailymotion.com cdn.ritekit.com; frame-ancestors 'self'; child-src 'self' static.addtoany.com www.google.com www.youtube.com www.dailymotion.com; font-src 'self' fonts.googleapis.com fonts.gstatic.com 'self' 'unsafe-inline'; connect-src 'self' *.microsoft.com *.google-analytics.com stats.g.doubleclick.net; report-uri /report-csp-violation
X-Content-Security-Policy: default-src 'self' *.google.com code.jquery.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' code.jquery.com cdn.rawgit.com static.addtoany.com secure.skypeassets.com *.skype.com google-analytics.com *.gstatic.com *.google.com cdn.ampproject.org; object-src 'self' 'unsafe-inline' 'unsafe-eval' *.google.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com static.addtoany.com *.skype.com  *.google.com code.jquery.com; img-src 'self' 'unsafe-inline' 'unsafe-eval' data: secure.skypeassets.com *.google-analytics.com stats.g.doubleclick.net *.google.com; media-src 'self'; frame-src 'self' static.addtoany.com www.google.com www.youtube.com www.dailymotion.com cdn.ritekit.com; frame-ancestors 'self'; child-src 'self' static.addtoany.com www.google.com www.youtube.com www.dailymotion.com; font-src 'self' fonts.googleapis.com fonts.gstatic.com 'self' 'unsafe-inline'; connect-src 'self' *.microsoft.com *.google-analytics.com stats.g.doubleclick.net; report-uri /report-csp-violation
X-WebKit-CSP: default-src 'self' *.google.com code.jquery.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' code.jquery.com cdn.rawgit.com static.addtoany.com secure.skypeassets.com *.skype.com google-analytics.com *.gstatic.com *.google.com cdn.ampproject.org; object-src 'self' 'unsafe-inline' 'unsafe-eval' *.google.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com static.addtoany.com *.skype.com  *.google.com code.jquery.com; img-src 'self' 'unsafe-inline' 'unsafe-eval' data: secure.skypeassets.com *.google-analytics.com stats.g.doubleclick.net *.google.com; media-src 'self'; frame-src 'self' static.addtoany.com www.google.com www.youtube.com www.dailymotion.com cdn.ritekit.com; frame-ancestors 'self'; child-src 'self' static.addtoany.com www.google.com www.youtube.com www.dailymotion.com; font-src 'self' fonts.googleapis.com fonts.gstatic.com 'self' 'unsafe-inline'; connect-src 'self' *.microsoft.com *.google-analytics.com stats.g.doubleclick.net; report-uri /report-csp-violation
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
From-Origin: same
Referrer-Policy: same-origin
Content-Language: fr
X-UA-Compatible: IE=edge
Link: <https://www.publicitem.pro/agence-communication-web?amp>; rel="amphtml",<https://www.publicitem.pro/>; rel="canonical",<https://www.publicitem.pro/node/87>; rel="shortlink"
Vary: Accept-Encoding

Une idée de comment me dépatouiller avec mes caches ?

Merci de toute aide.

PS : j'ai lancé le cron manuel en plus de l'automatique sur le Drupal en question.

Version de Drupal : 

You are a spot on blogger! You have some unique talent for attracting others in to your blog. You are simply splendid. I'm planning to commence my own blog soon. See here to buy essays. I am not actually good at it. I don’t have any skill. But I am confident enough. I would like to get a few tips from you as your blog is liked by others incredibly much. I hope you will reply to my remark and help me to be a good blogger like you.