diff --git a/README.md b/README.md
index ac2c864..f73c2ec 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,7 @@ Libreddit is a portmanteau of "libre" (meaning freedom) and "Reddit". It is a pr
     🔒 Secure: strong Content Security Policy prevents browser requests to Reddit
 
 
-**Shipped version:** 0.22.6~ynh1
+**Shipped version:** 0.22.6~ynh2
 
 **Demo:** https://libreddit.spike.codes/
 
diff --git a/README_fr.md b/README_fr.md
index 68a9b1f..73c636b 100644
--- a/README_fr.md
+++ b/README_fr.md
@@ -21,7 +21,7 @@ Libreddit is a portmanteau of "libre" (meaning freedom) and "Reddit". It is a pr
     🔒 Secure: strong Content Security Policy prevents browser requests to Reddit
 
 
-**Version incluse :** 0.22.6~ynh1
+**Version incluse :** 0.22.6~ynh2
 
 **Démo :** https://libreddit.spike.codes/
 
diff --git a/conf/systemd.service b/conf/systemd.service
index de90501..65e0480 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -14,5 +14,27 @@ Environment=PORT=__PORT__
 EnvironmentFile=-__FINALPATH__/libreddit.conf
 ExecStart=__FINALPATH__/libreddit -a ${ADDRESS} -p ${PORT}
 
+# Hardening
+DeviceAllow=
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service ~@privileged ~@resources
+UMask=0077
+
 [Install]
 WantedBy=multi-user.target
diff --git a/manifest.json b/manifest.json
index 620d7a8..b659ac5 100644
--- a/manifest.json
+++ b/manifest.json
@@ -6,7 +6,7 @@
         "en": "Libre alternative to Reddit",
         "fr": "Alternative libre à Reddit"
     },
-    "version": "0.22.6~ynh1",
+    "version": "0.22.6~ynh2",
     "url": "https://libreddit.spike.codes/",
     "upstream": {
         "license": "AGPL-3.0",