diff --git a/config.sample.js b/config.sample.js
index 453453d..84f0084 100644
--- a/config.sample.js
+++ b/config.sample.js
@@ -141,6 +141,14 @@ module.exports = {
   */
   helmet: {
     contentSecurityPolicy: false,
+    /*
+      Cross-Origin-* headers were enabled by default since Helmet v5.0.0
+      However, for installations that use own http server for files (nginx, etc.),
+      these headers also need to be configured in there.
+    */
+    crossOriginEmbedderPolicy: false,
+    crossOriginOpenerPolicy: false,
+    crossOriginResourcePolicy: false,
     /*
     hsts: {
       maxAge: 63072000, // 2 years
@@ -148,7 +156,9 @@ module.exports = {
       preload: true
     }
     */
-    hsts: false
+    hsts: false,
+    // This was also enabled by default since Helmet v5.0.0
+    originAgentCluster: false
   },
 
   /*
diff --git a/lolisafe.js b/lolisafe.js
index 85e3270..8efd620 100644
--- a/lolisafe.js
+++ b/lolisafe.js
@@ -60,7 +60,11 @@ if (config.helmet instanceof Object && Object.keys(config.helmet).length) {
   // Fallback to old behavior when the whole helmet option was not configurable from the config file
   safe.use(helmet({
     contentSecurityPolicy: false,
-    hsts: false
+    crossOriginEmbedderPolicy: false,
+    crossOriginOpenerPolicy: false,
+    crossOriginResourcePolicy: false,
+    hsts: false,
+    originAgentCluster: false
   }))
 
   if (config.hsts instanceof Object && Object.keys(config.hsts).length) {