Adding HSTS headers to all responses when using php-fpm + mod_fastcgi using basic php or Symfony2

.htaccess

# add HTTP Strict Transport Security (HSTS) header to all *non-php* responses
# - mod_fastcgi apparently ignores mod_headers?
# - see: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

Header set Strict-Transport-Security "max-age=7776000"

ResponseListener.php

<?php

// Add HSTS to every response in Symfony2
// file: src/YourApp/YourBundle/EventListener/ResponseListener.php

namespace YourApp\YourBundle\EventListener;
 
use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
 
class ResponseListener
{
    public function onKernelResponse(FilterResponseEvent $event)
    {
        $event->getResponse()->headers->set('Strict-Transport-Security', 'max-age=7776000');
    }
}

services.yml

# In Symfony2 you can configure an event listener to attach the header to http responses.
# file: src/YourApp/YourBundle/Resources/config/services.yml

services:
…
    yourapp.hsts_response_listener:
        class: YourApp\YourBundle\EventListener\ResponseListener
        tags:
            - { name: kernel.event_listener, event: kernel.response, method: onKernelResponse }

whatever.php

// You can simply use PHP's header function to add custom headers:

header('Strict-Transport-Security: max-age=7776000');