TIL HSTS requires a secure transport
Otherwise (quoting RFC6797):
If an HTTP response is received over insecure transport, the UA MUST ignore any present STS header field(s).
That means SSL certificate on your server must be valid, i.e. no errors or warnings when you open a page from a browser over https.