Without experimenting with Swift it is hard to say.

All the Security Headers plugin does is write the headers with PHP at the appropriate events.

Some caching plugins can (optionally) cache these headers. If the cache plugin removes the security headers it is because it is side stepping the usual WordPress events. But otherwise the headers shouldn’t impact caching (other than the usual impact of HTTPS on caching).

I’d still suggest caching plugins are the wrong approach to WordPress performance, CDNs and generic reverse proxies (Varnish, HAProxy,Squid etc) are what I’ve done in the past. They aren’t tied to just WordPress content, and CDNs can address DDoS threats.

If you know the web host technology and have permission you can use htaccess files (or the web server config, some web servers can also do a basic proxy where static content such as images & CSS are served by the web server without PHP on second and subsequent requests, but again this is getting messy), the GD Security Headers plugin among others provides a point and click approach to htaccess config for similar headers, but I’ve not used it in anger.