diff --git a/config.sample.js b/config.sample.js
index 09c83b1..22198e3 100644
--- a/config.sample.js
+++ b/config.sample.js
@@ -136,16 +136,19 @@ module.exports = {
   },
 
   /*
-    HTTP Strict Transport Security (HSTS).
-    This doesn't enforce HTTP users to switch to HTTPS.
-    It only tells HTTPS users to stick around (i.e. not to downgrade to HTTP).
-    When set, it's also added to HTTP responses because the header will be ignored anyway.
-    https://helmetjs.github.io/docs/hsts/#the-code
+    Helmet security headers.
+    https://github.com/helmetjs/helmet#how-it-works
   */
-  hsts: {
-    // maxAge: 63072000, // 2 years
-    // includeSubDomains: true,
-    // preload: true
+  helmet: {
+    contentSecurityPolicy: false,
+    /*
+    hsts: {
+      maxAge: 63072000, // 2 years
+      includeSubDomains: true,
+      preload: true
+    }
+    */
+    hsts: false
   },
 
   /*
diff --git a/lolisafe.js b/lolisafe.js
index 099270a..6ed3950 100644
--- a/lolisafe.js
+++ b/lolisafe.js
@@ -32,6 +32,11 @@ const player = require('./routes/player')
 
 const db = require('knex')(config.database)
 
+// Helmet security headers
+if (config.helmet instanceof Object && Object.keys(config.helmet).length) {
+  safe.use(helmet(config.helmet))
+} else {
+  // Fallback to old behavior when the whole helmet option was not configurable from the config file
 safe.use(helmet({
   contentSecurityPolicy: false,
   hsts: false
@@ -39,6 +44,7 @@ safe.use(helmet({
 
 if (config.hsts instanceof Object && Object.keys(config.hsts).length) {
   safe.use(helmet.hsts(config.hsts))
+  }
 }
 
 if (config.trustProxy) {