diff --git a/README.md b/README.md
index 7183675..8af16ae 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,8 @@ Kernel space:
 
 - Prevent kernel information leaks in the console during boot.
 
-- Restrict eBPF access to `CAP_BPF` and enable associated JIT compiler hardening.
+- Restrict usage of `bpf()` to `CAP_BPF` to prevent the loading of BPF programs
+  by unprivileged users.
 
 - Restrict loading TTY line disciplines to `CAP_SYS_MODULE`.
 
@@ -82,6 +83,8 @@ Swap space:
 
 Networking:
 
+- Enable hardening of the BPF JIT compiler protect against JIT spraying.
+
 - Enable TCP SYN cookie protection to assist against SYN flood attacks.
 
 - Protect against TCP time-wait assassination hazards.
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index a0bb243..bd74a3a 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -58,15 +58,16 @@ kernel.dmesg_restrict=1
 ##
 #kernel.printk=3 3 3 3
 
-## Restrict eBPF access to CAP_BPF and enable associated JIT compiler hardening.
+## Restrict eBPF access to CAP_BPF.
+## Disables unprivileged calls to bpf() without recovery.
 ##
 ## https://en.wikipedia.org/wiki/EBPF#Security
+## https://lwn.net/Articles/660331/
 ##
 ## KSPP=yes
-## KSPP sets the sysctls.
+## KSPP sets the sysctl.
 ##
 kernel.unprivileged_bpf_disabled=1
-net.core.bpf_jit_harden=2
 
 ## Restrict loading TTY line disciplines to users with CAP_SYS_MODULE.
 ## Prevents unprivileged users from loading vulnerable line disciplines with the TIOCSETD ioctl.
@@ -348,6 +349,19 @@ vm.swappiness=1
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network
 ## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening
 
+## Enable hardening of the BPF JIT compiler for all users.
+## Provides some mitigation against JIT spraying.
+##
+## https://en.wikipedia.org/wiki/JIT_spraying
+## https://www.blackhat.com/docs/eu-16/materials/eu-16-Reshetova-Randomization-Can't-Stop-BPF-JIT-Spray-wp.pdf
+## https://lwn.net/Articles/686098/
+## https://lwn.net/Articles/525609/
+##
+## KSPP=yes
+## KSPP sets the sysctl.
+##
+net.core.bpf_jit_harden=2
+
 ## Enable TCP SYN cookie protection to assist against SYN flood attacks.
 ##
 ## https://en.wikipedia.org/wiki/SYN_flood