Yet another alternative is to always set the header and conditionally remove it for non-ssl connections:
Header always set Strict-Transport-Security "max-age=31536000" early
Header unset Strict-Transport-Security env=!HTTPS
This has the advantage, that the Header directive can be used with both the env condition as well as the early flag. With a single Header directive, env and early cannot be used together, they are mutually exclusive (see official documentation: https://httpd.apache.org/docs/current/mod/mod_headers.html#header).
