In cases where .htaccess changes is not possible and there’s a WordPress in use the HSTS headers can be set using the following function:

// HSTS Headers
add_action( 'send_headers', 'mo_strict_transport_security' );
function mo_strict_transport_security() {
header( 'Strict-Transport-Security: max-age=15552001; includeSubDomains; preload' );
}

The header format may vary, more details here.