diff --git a/conf/systemd.service b/conf/systemd.service
index b13a955..1d7a162 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -17,13 +17,16 @@ RestartSec=3
 # Depending on specificities of your service/app, you may need to tweak these
 # .. but this should be a good baseline
 # Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+ReadWritePaths=__INSTALL_DIR__ /var/log/__APP__
 NoNewPrivileges=yes
 MemoryDenyWriteExecute=true
 PrivateTmp=yes
 PrivateDevices=yes
+PrivateUsers=true
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
 RestrictNamespaces=yes
 RestrictRealtime=yes
+RestrictSUIDSGID=true
 DevicePolicy=closed
 ProtectClock=yes
 ProtectHostname=yes
@@ -32,8 +35,10 @@ ProtectSystem=full
 ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
+ProtectKernelLogs=true
 LockPersonality=yes
 SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
 SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
 
 # Denying access to capabilities that should not be relevant for webapps
diff --git a/scripts/install b/scripts/install
index de4ed34..35c6880 100755
--- a/scripts/install
+++ b/scripts/install
@@ -66,7 +66,11 @@ ynh_add_systemd_config
 
 yunohost service add $app --description="Matrix Discord pupetting bridge for YunoHost" --log="/var/log/$app/$app.log"
 
-ynh_use_logrotate
+# Use logrotate to manage application logfile(s)
+ynh_use_logrotate --logfile "/var/log/$app/$app.log" --nonappend --specific_user $app/$app
+chmod -R 600 "/var/log/$app"
+chmod 700 "/var/log/$app"
+chown -R $app:$app /var/log/$app
 
 #=================================================
 # APP INITIAL CONFIGURATION
diff --git a/scripts/upgrade b/scripts/upgrade
index 073f943..038403f 100755
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -56,7 +56,11 @@ ynh_add_systemd_config
 
 yunohost service add $app --description="Matrix Discord pupetting bridge for YunoHost" --log="/var/log/$app/$app.log"
 
-ynh_use_logrotate --non-append
+# Use logrotate to manage application logfile(s)
+ynh_use_logrotate --logfile "/var/log/$app/$app.log" --nonappend --specific_user $app/$app
+chmod -R 600 "/var/log/$app"
+chmod 700 "/var/log/$app"
+chown -R $app:$app /var/log/$app
 
 #=================================================
 # RECONFIGURE THE APP (UPDATE CONF, APPLY MIGRATIONS...)