To enable HTTP Strict Transport Security via PHP use the following code. This should be included at the head of all your sites PHP files. The preferred method is to add the header using Apache or server configs rather than PHP directly. Use this option if you do not have an alternative.
//Tell browser site should only be loaded over https
The max-age value is in seconds. Use 31536000 for 12 months or 63072000 for 24 months.
Adding includeSubdomains means that subdomains of the main domain should also be accessed using SSL