diff --git a/contrib/libreddit.service b/contrib/libreddit.service
index b6e6fef..8ed5da7 100644
--- a/contrib/libreddit.service
+++ b/contrib/libreddit.service
@@ -11,5 +11,27 @@ Environment=PORT=8080
 EnvironmentFile=-/etc/libreddit.conf
 ExecStart=/usr/bin/libreddit -a ${ADDRESS} -p ${PORT}
 
+# Hardening
+DeviceAllow=
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service ~@privileged ~@resources
+UMask=0077
+
 [Install]
 WantedBy=default.target