To enable HTTP Strict Transport Security for Apache you can edit the vhosts file. This should only apply to HTTPS connections and therefore is added to the VirtualHost 443 section.
# Use HTTP Strict Transport Security to force client to use secure connections only
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
The max-age value is in seconds. Use 31536000 for 12 months or 63072000 for 24 months
Adding includeSubdomains means that subdomains of the main domain should also be accessed using SSL