diff --git a/systemd/system/nginx.service.d/hardening.conf b/systemd/system/nginx.service.d/hardening.conf
new file mode 100644
index 0000000..5f826ab
--- /dev/null
+++ b/systemd/system/nginx.service.d/hardening.conf
@@ -0,0 +1,25 @@
+[Service]
+LockPersonality=true
+NoNewPrivileges=true
+MemoryDenyWriteExecute=true
+PrivateIPC=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/var/lib/nginx /var/log/nginx -/var/cache/nginx
+RemoveIPC=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@obsolete