diff --git a/modules/security.nix b/modules/security.nix
index 947bd7c..a0961c6 100644
--- a/modules/security.nix
+++ b/modules/security.nix
@@ -83,6 +83,17 @@
 
     # Ignore broadcast ICMP (SMURF amplification mitigation).
     "net.ipv4.icmp_echo_ignore_broadcasts" = true;
+
+    # Filesystem hardening: prevent hardlink/symlink-based attacks.
+    # protected_hardlinks/symlinks: block unprivileged creation of hard/symlinks
+    # to files the user doesn't own (prevents TOCTOU privilege escalation).
+    # protected_fifos/regular (level 2): restrict opening FIFOs and regular files
+    # in world-writable sticky directories to owner/group match only.
+    # Also required for systemd-tmpfiles to chmod hardlinked files.
+    "fs.protected_hardlinks" = true;
+    "fs.protected_symlinks" = true;
+    "fs.protected_fifos" = 2;
+    "fs.protected_regular" = 2;
   };
 
   services = {