On the admin page, my oC 9.1.4 installation tells me to harden my HTTPS settings:
The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.
The link points to
which explains how to "Enable HTTP Strict Transport Security". In there, it says to add the lines
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
to the .htaccess file (in the oC root folder, right?).
That's what I did, but I still get the initial warning. What am I doing wrong?