Further discussion on optional SWAG headers

is there a place somewhere that discusses more thoroughly the various optional headers found at the bottom of the ssl.conf file?

for example, why isn’t HSTS enabled by default?
or, what are the various headers related to XSS security?
or, what does the Cache-Control header mean?

thanks. cheers

All those options while increasing security, reduce convenience by potentially breaking certain things.
That’s why they’re provided as commented out by default.

You should be able to find plenty of info by googling them. If you don’t know what they are, you’re better off leaving them commented out. It’s up to you assess the risk before turning them on.

HSTS is a sledgehammer. Once turned on, it can and likely will break things and you can’t get rid of it by clearing the browser cache or using incognito.

sure, what I meant is maybe adding a couple of comments per line to broadly give further info the the passing user.
for example, I appreciate the new header to turn off Google’s FLoC, but what are the implications of such technology on a private website, e.g. with no ads?

what kind of things would it break?
I have been using SWAG, subfolders included, with HSTS enabled without any issues.

What you’re asking for would not be simple one liners due to the many possible scenarios. That’s why googling and researching them is recommended.

As a general rule, if you’re using SWAG to host a public website, like a company website and/or reverse proxy company nextcloud, etc. then turn all of those on for extra security.

But if you’re running a home lab where everything is behind something like Authelia and not publicly accessible, you don’t really need those.

With HSTS, once you turn it on, you can’t hit http sites anymore. So no more testing direct http connections like we recommend in this article, or apps that need http access like synclounge.

thanks for the reply and the link.

I still think it would be beneficial to add a comment to each optional header, but I will not insist.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.