diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7a81aad09..c2f3757fe 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Deactivated users can no longer show up in the emoji reaction list
 - Embedded posts can no longer bypass `:restrict\_unauthenticated`
 
+## Security
+
+- Add `no_new_privs` hardening to OpenRC and systemd service files
+
 ## 2023.05
 
 ## Added
diff --git a/installation/akkoma.service b/installation/akkoma.service
index 2c381ad0d..717693495 100644
--- a/installation/akkoma.service
+++ b/installation/akkoma.service
@@ -38,6 +38,8 @@ ProtectHome=true
 ProtectSystem=full
 ; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi.
 PrivateDevices=false
+; Ensures that the service process and all its children can never gain new privileges through execve(). 
+NoNewPrivileges=true
 ; Drops the sysadmin capability from the daemon.
 CapabilityBoundingSet=~CAP_SYS_ADMIN
 
diff --git a/installation/init.d/akkoma b/installation/init.d/akkoma
index 6c1973db4..bd17516f2 100755
--- a/installation/init.d/akkoma
+++ b/installation/init.d/akkoma
@@ -8,6 +8,7 @@ pidfile="/var/run/akkoma.pid"
 directory=/opt/akkoma
 healthcheck_delay=60
 healthcheck_timer=30
+no_new_privs="yes"
 
 : ${akkoma_port:-4000}
 
diff --git a/rel/files/installation/init.d/akkoma b/rel/files/installation/init.d/akkoma
index ea6ea3580..492a0debe 100755
--- a/rel/files/installation/init.d/akkoma
+++ b/rel/files/installation/init.d/akkoma
@@ -9,6 +9,7 @@ command=/opt/akkoma/bin/pleroma
 command_args="start"
 command_user=akkoma
 command_background=1
+no_new_privs="yes"
 
 # Ask process to terminate within 30 seconds, otherwise kill it
 retry="SIGTERM/30/SIGKILL/5"