The easy way. I use the Redirection plugin on most sites. I didn't realize until this that it can set security headers. I'm sure there's a minor performance hit compared to doing it in server config, but Redirection is by John Godley who has been a major Wordpress contributor and I've never seen it create a major load in other situation.
https://torquemag.io/2021/06/http-security-headers/