Docs: Add authentication note for external/internal image sources

[pontasan]

Summary
This PR adds a note to the documentation clarifying the behavior when using external or internal URLs (API Routes) as image sources with Next.js Image Optimization.
This change addresses issue #82610.

Details

• Added a note explaining that, for security reasons, request headers are not forwarded to API Routes or external URLs when Image Optimization is used.
• Documented that if image data requires authentication, the unoptimized property should be considered to disable Image Optimization.

Why
Users may be confused when trying to load images from endpoints that require authentication. This clarification helps developers understand the limitation and how to handle such cases.

References

• Vercel Changelog: CVE-2025-57752
• Next.js GitHub Issue #82703

---

resolves #82610

[ijjk]

Allow CI Workflow Run

• approve CI run for commit: ef3289d

Note: this should only be enabled once the PR is ready to go and can only be enabled by a maintainer

[DabirRahmani]

thanks for referencing my issue (#82703).
just to clarify, the case I'm experiencing is different from the scenarios described in this PR. my issue doesn't involve authentication headers or the unoptimized property.

[pontasan]

thanks for referencing my issue (#82703). just to clarify, the case I'm experiencing is different from the scenarios described in this PR. my issue doesn't involve authentication headers or the unoptimized property.

Thank you for pointing that out.
I was referring to it since I found the following description related to this matter.

The patch from #82114 was fixing a security vulnerability. It was a bug that headers were ever forwarded so we removed them. I do not recommend adding it back or else your app could expose private images to unauthorized users.

See GHSA-g5qg-72qw-gw5v

I’d like to emphasize once again that this PR is meant to address issue #82610.