diff --git a/config/serverless.yml b/config/serverless.yml
index 58ce06014534c..b9cf2a384873d 100644
--- a/config/serverless.yml
+++ b/config/serverless.yml
@@ -26,6 +26,7 @@ telemetry.allowChangingOptInStatus: false
 
 # Harden security response headers, see https://github.com/elastic/kibana/issues/150884
 # The browser should remember that a site, including subdomains, is only to be accessed using HTTPS for 1 year
+# Can override this setting in kibana.dev.yml, e.g. server.securityResponseHeaders.strictTransportSecurity: null
 server.securityResponseHeaders.strictTransportSecurity: max-age=31536000; includeSubDomains
 # Disable embedding for serverless MVP
 server.securityResponseHeaders.disableEmbedding: true