Adding HTTP Strict Transport Security to .htaccess

Question

I would like to add HTTP Strict Transport Security directive to my .htaccess file. I've added the lock at the end of the code here but when I test Testing the HSTS preload process it show the setting not set. I checked my Apache config and see the headers module enabled.

What am I missing?

<Files .htaccess>
order allow,deny
deny from all
</Files>

<FilesMatch "\.(png|gif|js|css)$">
  ExpiresActive on
  ExpiresDefault "access plus 1 month"
</FilesMatch>

# disable directory autoindexing
Options -Indexes

ErrorDocument 400 http://%{HTTP_HOST}
ErrorDocument 401 http://%{HTTP_HOST}
ErrorDocument 402 http://%{HTTP_HOST}
ErrorDocument 403 http://%{HTTP_HOST}
ErrorDocument 405 http://%{HTTP_HOST}
ErrorDocument 404 /incl/pages/error404.php
ErrorDocument 500 http://%{HTTP_HOST}

RewriteEngine On

RewriteBase /
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

# BEGIN GZIP
<ifmodule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/text text/html text/plain text/xml text/css application/x-javascript application/javascript
</ifmodule>
# END GZIP

# Use HTTP Strict Transport Security to force client to use secure connections only
<ifmodule mod_headers.c>
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
</ifmodule>

I tested here and here.

Answer 1

For redirects you need to use always attribute:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

From the mod_headers documentation:

You're adding a header to a locally generated non-success (non-2xx) response, such as a redirect, in which case only the table corresponding to always is used in the ultimate response.