SWS provides several security headers support.
When the HTTP/2 feature is activated security headers are enabled automatically.
This feature is disabled by default on HTTP/1 and can be controlled by the boolean
--security-headers option or the equivalent SERVER_SECURITY_HEADERS env.
Customize HTTP headers
If you want to customize HTTP headers on demand then have a look at the Custom HTTP Headers section.
The following headers are included by default.
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload" (2 years max-age)
X-XSS-Protection: 1; mode=block