On the admin page, my oC 9.1.4 installation tells me to harden my HTTPS settings:
The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.
which explains how to "Enable HTTP Strict Transport Security". In there, it says to add the lines
<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" </IfModule>
to the .htaccess file (in the oC root folder, right?).
That's what I did, but I still get the initial warning. What am I doing wrong?