docs: http2 and tls feature improvements [skip ci]
describe also a workaround for `security-headers` feature
when using it along with `http2`
Diff
docs/content/features/http2-tls.md | 53 +++++++++++++++++++-------------
docs/content/features/security-headers.md | 4 ++-
2 files changed, 36 insertions(+), 21 deletions(-)
@@ -8,27 +8,38 @@ This feature is disabled by default and can be activated via the boolean `-t, --
SWS comes with safe TLS defaults for underlying cryptography.
- Cipher suites:
```rust
// TLS1.3 suites
TLS13_AES_256_GCM_SHA384
TLS13_AES_128_GCM_SHA256
TLS13_CHACHA20_POLY1305_SHA256
// TLS1.2 suites
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
```
- Key exchange groups:
- `X25519`, `SECP256R1` and `SECP384R1`
- Protocol versions:
- TLS `1.2` and `1.3`
These defaults are safe and useful for most use cases. See [Rustls safe defaults](https://docs.rs/rustls/0.21.1/rustls/struct.ConfigBuilder.html#method.with_safe_defaults) for more details.
- **Cipher suites:**
- TLS1.3:
```
TLS13_AES_256_GCM_SHA384
TLS13_AES_128_GCM_SHA256
TLS13_CHACHA20_POLY1305_SHA256
```
- TLS1.2:
```
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
```
- **Key exchange groups:**
- `X25519`, `SECP256R1` and `SECP384R1`
- **Protocol versions:**
- TLS `1.2` and `1.3`
These defaults are safe and useful for most use cases. See [Rustls safe defaults](https://docs.rs/rustls/0.21.1/rustls/struct.ConfigBuilder.html#method.with_safe_defaults) for more details.
## Private key file formats
Only the following private key file formats are supported:
- **RSA Private Key:** A DER-encoded plaintext RSA private key as specified in [PKCS#1/RFC3447](https://datatracker.ietf.org/doc/html/rfc3447).
- **PKCS8 Private Key:** A DER-encoded plaintext private key as specified in [PKCS#8/RFC5958](https://datatracker.ietf.org/doc/rfc5958/).
- **EC Private Key:** A Sec1-encoded plaintext private key as specified in [RFC5915](https://www.rfc-editor.org/rfc/rfc5915).
## Example
!!! info "Tips"
- Either `--host`, `--port` and `--root` have defaults (optional values) so they can be specified or omitted as required.
@@ -6,6 +6,10 @@ When the [HTTP/2](../features/http2-tls.md) feature is activated *security heade
This feature is disabled by default on HTTP/1 and can be controlled by the boolean `--security-headers` option or the equivalent [SERVER_SECURITY_HEADERS](./../configuration/environment-variables.md#server_security_headers) env.
!!! info "Not enabled by default when using TOML config file"
This is an issue reported on [static-web-server#210](https://github.com/static-web-server/static-web-server/issues/210).
The workaround is just to enable the `security-header` explicitly along with the `tls` feature. More details on the [issue #210 comment](https://github.com/static-web-server/static-web-server/issues/210#issuecomment-1572686507).
!!! tip "Customize HTTP headers"
If you want to customize HTTP headers on demand then have a look at the [Custom HTTP Headers](custom-http-headers.md) section.
