htaccess on subdomain for nextcloud doesn't seem to work

I’ve created a subdomain for nextcloud and all is working just fine. In the security recommendations within Nextcloud I keep getting: ‘The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips’. Now I found that there are two options to get this fix. I’ve tried to set the following in .htaccess in the root of the subdomain:

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

But this doesn’t seem to do anything. I’ve checked a2enmod headers and it reports it already enabled, so nothing missing there. I’ve tried editing the /etc/apache2/sites-enabled/next.domain.conf and /etc/apache2/sites-available/next.domain.conf but that doesnt fix it either. I see that the default setting for Override All is:
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
is that enough to have this work?

Any ideas on how to get this fixed? What is the preferred way to configure this, at .htaccess or in sites-enabled (or anywhere)?