The HSTS Policy helps protect web application users against some passive (eavesdropping) and active network attacks. A man-in-the-middle attacker has a greatly reduced ability to intercept requests and responses between a user and a web application server, while the user’s browser has HSTS Policy in effect for that web application

So what we need?

Activate mod headers in apache:

a2enmod headers

HSTS header into VirtualHost:

Header always set Strict-Transport-Security “max-age=31556926 includeSubDomains”

max age set the Time in seconds (this means we use 356 days) and includeSubDomains set the HSTS header also into your subdomains (recommended). If you don’t want his just only let it our and close after 31556926.

Done.