chore(docs): update security headers specification (#33673)

1. fix details on how next handles security headers

* note: check your HSTS at https://hstspreload.org
* if your using headers in the config you need to add them below like 

![Screen Shot 2022-01-25 at 9 58 30 PM](https://user-images.githubusercontent.com/8095978/151096692-1544e239-6229-4654-bf64-b01bfc13a601.png)



## Bug

- [ ] Related issues linked using `fixes #number`
- [ ] Integration tests added
- [ ] Errors have helpful link attached, see `contributing.md`

## Feature

- [ ] Implements an existing feature request or RFC. Make sure the feature request has been accepted for implementation before opening a PR.
- [ ] Related issues linked using `fixes #number`
- [ ] Integration tests added
- [ ] Documentation added
- [ ] Telemetry added. In case of a feature if it's used or not.
- [ ] Errors have helpful link attached, see `contributing.md`

## Documentation / Examples

- [ ] Make sure the linting passes by running `yarn lint`


Co-authored-by: Steven <229881+styfle@users.noreply.github.com>

docs/advanced-features/security-headers.md

@@ -43,7 +43,7 @@ This header controls DNS prefetching, allowing browsers to proactively perform d
 
 This header informs browsers it should only be accessed using HTTPS, instead of using HTTP. Using the configuration below, all present and future subdomains will use HTTPS for a `max-age` of 2 years. This blocks access to pages or subdomains that can only be served over HTTP.
 
-If you're deploying to [Vercel](https://vercel.com/docs/edge-network/headers#strict-transport-security), this header is not necessary as it's automatically added to all deployments.
+If you're deploying to [Vercel](https://vercel.com/docs/edge-network/headers#strict-transport-security), this header is not necessary as it's automatically added to all deployments unless you declare [`headers`](/docs/api-reference/next.config.js/headers.md) in your `next.config.js`.
 
 ```jsx
 {