diff --git a/conf/systemd.service b/conf/systemd.service
index 21f2d3c..99fa4d2 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -11,5 +11,35 @@ ExecStart=__FINALPATH__/auto_updater.sh
 Restart=always
 RestartSec=10s
 
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these 
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
 [Install]
 WantedBy=multi-user.target
diff --git a/manifest.json b/manifest.json
index fb43671..9ceeb39 100644
--- a/manifest.json
+++ b/manifest.json
@@ -9,13 +9,13 @@
     "version": "20220709~ynh1",
     "url": "https://github.com/hnhx/librex",
     "upstream": {
-        "license": "AGPL-3.0",
+        "license": "AGPL-3.0-only",
         "website": "https://github.com/hnhx/librex",
         "demo": "https://librex.beparanoid.de",
         "admindoc": "https://github.com/hnhx/librex/wiki",
         "code": "https://github.com/hnhx/librex"
     },
-    "license": "AGPL-3.0",
+    "license": "AGPL-3.0-only",
     "maintainer": {
         "name": "eric_G",
         "email": ""
diff --git a/scripts/change_url b/scripts/change_url
index b286df6..da25297 100644
--- a/scripts/change_url
+++ b/scripts/change_url
@@ -100,6 +100,16 @@ then
 	ynh_store_file_checksum --file="/etc/nginx/conf.d/$new_domain.d/$app.conf"
 fi
 
+#=================================================
+# SPECIFIC MODIFICATIONS
+#=================================================
+
+domain="$new_domain"
+ynh_add_config --template="../conf/opensearch.xml.example" --destination="$final_path/opensearch.xml"
+
+chmod 400 "$final_path/opensearch.xml"
+chown $app:$app "$final_path/opensearch.xml"
+
 #=================================================
 # GENERIC FINALISATION
 #=================================================
diff --git a/scripts/install b/scripts/install
index b322054..25c9590 100755
--- a/scripts/install
+++ b/scripts/install
@@ -105,6 +105,8 @@ ynh_add_config --template="../conf/opensearch.xml.example" --destination="$final
 
 chmod 400 "$final_path/config.php"
 chown $app:$app "$final_path/config.php"
+chmod 400 "$final_path/opensearch.xml"
+chown $app:$app "$final_path/opensearch.xml"
 
 #=================================================
 # SETUP SYSTEMD
diff --git a/scripts/upgrade b/scripts/upgrade
index d160be5..a3484e3 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -19,6 +19,7 @@ app=$YNH_APP_INSTANCE_NAME
 domain=$(ynh_app_setting_get --app=$app --key=domain)
 path_url=$(ynh_app_setting_get --app=$app --key=path)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
 
 fpm_footprint=$(ynh_app_setting_get --app=$app --key=fpm_footprint)
 fpm_usage=$(ynh_app_setting_get --app=$app --key=fpm_usage)