Further discussion on optional SWAG headers

piramiday · 21 September 2021 12:08

is there a place somewhere that discusses more thoroughly the various optional headers found at the bottom of the ssl.conf file?

github.com

linuxserver/docker-swag/blob/master/root/defaults/ssl.conf#L35-L46

    
      
          # HSTS, remove # from the line below to enable HSTS
          #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
          
          
# Optional additional headers
          #add_header Cache-Control "no-transform" always;
          #add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
          #add_header Permissions-Policy "interest-cohort=()";
          #add_header Referrer-Policy "same-origin" always;
          #add_header X-Content-Type-Options "nosniff" always;
          #add_header X-Frame-Options "SAMEORIGIN" always;
          #add_header X-UA-Compatible "IE=Edge" always;
          #add_header X-XSS-Protection "1; mode=block" always;

for example, why isn’t HSTS enabled by default?
or, what are the various headers related to XSS security?
or, what does the Cache-Control header mean?

thanks. cheers

aptalca · 21 September 2021 12:39

All those options while increasing security, reduce convenience by potentially breaking certain things.
That’s why they’re provided as commented out by default.

You should be able to find plenty of info by googling them. If you don’t know what they are, you’re better off leaving them commented out. It’s up to you assess the risk before turning them on.

HSTS is a sledgehammer. Once turned on, it can and likely will break things and you can’t get rid of it by clearing the browser cache or using incognito.

piramiday · 21 September 2021 13:32

sure, what I meant is maybe adding a couple of comments per line to broadly give further info the the passing user.
for example, I appreciate the new header to turn off Google’s FLoC, but what are the implications of such technology on a private website, e.g. with no ads?

what kind of things would it break?
I have been using SWAG, subfolders included, with HSTS enabled without any issues.

aptalca · 21 September 2021 13:43

What you’re asking for would not be simple one liners due to the many possible scenarios. That’s why googling and researching them is recommended.

As a general rule, if you’re using SWAG to host a public website, like a company website and/or reverse proxy company nextcloud, etc. then turn all of those on for extra security.

But if you’re running a home lab where everything is behind something like Authelia and not publicly accessible, you don’t really need those.

With HSTS, once you turn it on, you can’t hit http sites anymore. So no more testing direct http connections like we recommend in this article, or apps that need http access like synclounge.

piramiday · 21 September 2021 14:03

thanks for the reply and the link.

I still think it would be beneficial to add a comment to each optional header, but I will not insist.

system · 26 September 2021 14:04

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.