Hey! It doesn't really matter how and where you set the header, as long as it is correctly returned to the web browser.
If you're using Apache, you can use mod_headers like so:
Header set Strict-Transport-Security "options"
httpd.apache.org/docs/current/mod/mod_headers.html
Not really related to HSTS, but since you are already using Apache then check out ModSecurity and the OWASP Core Ruleset as well, it will provide you a WAF (Web Application Firewall) capability to your Apache server and protect your PHP application from most obviously malicious input.
owasp.org/www-project-modsecurity-core-rule-set