There are four different security header layout that can be specified in WCF. The values are defined in WS-SecurityPolicy. They are,
WCF provides a way to specify the security header layout using a switch on the security binding element called securityHeaderLayout.
Strict is the default mode in WCF. Lax mode can be slower in rejecting invalid messages as most of the validations are done after the security header is consumed. LaxWithTimestampLast serves the least purpose among the different header layouts but is defined for Interop reasons.
So what should you use? Lax is predominantly used when incoming message can be generated by different stacks. If all your messages are from WCF then using the default of Strict gives the maximum benefit.