diff --git a/contrib/airsonic.service b/contrib/airsonic.service
index e3b0e274..5cf08590 100644
--- a/contrib/airsonic.service
+++ b/contrib/airsonic.service
@@ -21,6 +21,31 @@ ExecStart=/usr/bin/java \
 User=airsonic
 Group=airsonic
 
+# See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+# for details
+DevicePolicy=closed
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectControlGroups=yes
+ProtectHome=true
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallFilter=~@clock,@debug,@module,@mount,@obsolete,@privileged,@reboot,@setuid,@swap
+ProtectSystem=full
+
+# You can uncomment the following line if you don't want airsonic to be able to 
+# write anything on your filesystem outside of AIRSONIC_HOME.
+# Don't forget to remove the other `ProtectSystem` line above.
+#ProtectSystem=strict
+#ReadWritePaths=/var/airsonic
+
+
 [Install]
 WantedBy=multi-user.target