diff --git a/debian/php-fpm.service b/debian/php-fpm.service
index 415c0d89f99524d36c651bf70deef52407fc7f55..fcdf4be7d9e9ec3b76a558cde16447c4cc67f5be 100644
--- a/debian/php-fpm.service
+++ b/debian/php-fpm.service
@@ -10,5 +10,27 @@ ExecStartPost=-/usr/lib/php/php-fpm-socket-helper install /run/php/php-fpm.sock
 ExecStopPost=-/usr/lib/php/php-fpm-socket-helper remove /run/php/php-fpm.sock /etc/php/@PHP_VERSION@/fpm/pool.d/www.conf @PHP_MAJOR@@PHP_MINOR@
 ExecReload=/bin/kill -USR2 $MAINPID
 
+# Hardening - see systemd.exec(5) for details
+CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_CHOWN CAP_SETGID CAP_SETUID
+LockPersonality=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=full
+RemoveIPC=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
 [Install]
 WantedBy=multi-user.target