diff --git a/index.js b/index.js
index 526d775..55beed2 100755
--- a/index.js
+++ b/index.js
@@ -94,6 +94,12 @@ if (require.main === module) {
           type: 'string',
           default: process.env.COMMAND || 'login',
         },
+        'no-helmet': {
+          demand: false,
+          description: 'disable helmet from placing security restrictions',
+          type: 'boolean',
+          default: false,
+        },
         help: {
           demand: false,
           alias: 'h',
diff --git a/src/server/index.ts b/src/server/index.ts
index 2274339..41dbc46 100644
--- a/src/server/index.ts
+++ b/src/server/index.ts
@@ -17,6 +17,7 @@ export interface Options {
   port: number;
   title: string;
   command?: string;
+  disableHelmet?: boolean;
 }
 
 interface CLI extends Options {
@@ -38,6 +39,7 @@ export default class Server {
     command,
     sslkey,
     sslcert,
+    disableHelmet,
   }: Options): Promise<void> {
     wetty
       .on('exit', ({ code, msg }: { code: number; msg: string }) => {
@@ -56,11 +58,11 @@ export default class Server {
         host: sshhost,
         auth: sshauth,
         port: sshport,
-        title: title,
+        title,
         pass: sshpass,
         key: sshkey,
       },
-      { base, host, port, title },
+      { base, host, port, title, disableHelmet },
       command,
       { key: sslkey, cert: sslcert }
     );
diff --git a/src/server/interfaces.ts b/src/server/interfaces.ts
index 4674ecf..adcda37 100644
--- a/src/server/interfaces.ts
+++ b/src/server/interfaces.ts
@@ -21,4 +21,5 @@ export interface Server {
   port: number;
   host: string;
   base: string;
+  disableHelmet: boolean;
 }
diff --git a/src/server/server.ts b/src/server/server.ts
index 695a3d7..f53e0c2 100644
--- a/src/server/server.ts
+++ b/src/server/server.ts
@@ -17,7 +17,7 @@ const distDir = path.join(__dirname, 'client');
 const trim = (str: string): string => str.replace(/\/*$/, '');
 
 export default function createServer(
-  { base, port, host, title }: Server,
+  { base, port, host, title, disableHelmet }: Server,
   { key, cert }: SSLBuffer
 ): SocketIO.Server {
   const basePath = trim(base);
@@ -49,7 +49,7 @@ export default function createServer(
     </div>
     <div id="options">
       <a class="toggler"
-         href="#" 
+         href="#"
          alt="Toggle options"><i class="fas fa-cogs"></i></a>
       <textarea class="editor"></textarea>
     </div>
@@ -61,7 +61,6 @@ export default function createServer(
   const app = express();
   app
     .use(morgan('combined', { stream: logger.stream }))
-    .use(helmet())
     .use(compression())
     .use(favicon(path.join(distDir, 'favicon.ico')))
     .use(`${basePath}/public`, express.static(distDir))
@@ -77,6 +76,10 @@ export default function createServer(
     .get(basePath, html)
     .get(`${basePath}/ssh/:user`, html);
 
+  if (!disableHelmet) {
+    app.use(helmet());
+  }
+
   return socket(
     !isUndefined(key) && !isUndefined(cert)
       ? https.createServer({ key, cert }, app).listen(port, host, () => {