diff --git a/static/Raccoon/nginx.service b/static/Raccoon/nginx.service
index 7fc2ad6..a10120f 100644
--- a/static/Raccoon/nginx.service
+++ b/static/Raccoon/nginx.service
@@ -15,5 +15,36 @@ ExecStop=/bin/sh -c "/bin/kill -s QUIT $(/bin/cat /run/nginx.pid)"
 TimeoutStartSec=10
 LimitNOFILE=65535
 
+# === hardening (compatible with LuaJIT + nginx workers + raweb agent) ===
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectClock=true
+ProtectHostname=true
+PrivateDevices=true
+PrivateTmp=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+LockPersonality=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+# ProtectSystem=strict makes the entire filesystem read-only EXCEPT these.
+# /run covers nginx.pid, nginx.lock, and the temp/ subdir (all tmpfs).
+ReadWritePaths=/run /var/log/nginx /nginx /hostdata
+# Read-only paths nginx legitimately accesses. ProtectSystem=strict already
+# allows reads everywhere by default — these are documented for the operator's
+# benefit (and so they survive future hardening tightening).
+ReadOnlyPaths=/raweb /srv /etc/letsencrypt
+# NOTE deliberately OFF:
+#   MemoryDenyWriteExecute=true       breaks LuaJIT (JIT writable+executable pages)
+#   SystemCallFilter=~@resources      breaks nginx workers' prlimit64()
+
 [Install]
 WantedBy=multi-user.target
diff --git a/static/Trixie/nginx.service b/static/Trixie/nginx.service
index 7fc2ad6..a10120f 100644
--- a/static/Trixie/nginx.service
+++ b/static/Trixie/nginx.service
@@ -15,5 +15,36 @@ ExecStop=/bin/sh -c "/bin/kill -s QUIT $(/bin/cat /run/nginx.pid)"
 TimeoutStartSec=10
 LimitNOFILE=65535
 
+# === hardening (compatible with LuaJIT + nginx workers + raweb agent) ===
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectClock=true
+ProtectHostname=true
+PrivateDevices=true
+PrivateTmp=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+LockPersonality=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+# ProtectSystem=strict makes the entire filesystem read-only EXCEPT these.
+# /run covers nginx.pid, nginx.lock, and the temp/ subdir (all tmpfs).
+ReadWritePaths=/run /var/log/nginx /nginx /hostdata
+# Read-only paths nginx legitimately accesses. ProtectSystem=strict already
+# allows reads everywhere by default — these are documented for the operator's
+# benefit (and so they survive future hardening tightening).
+ReadOnlyPaths=/raweb /srv /etc/letsencrypt
+# NOTE deliberately OFF:
+#   MemoryDenyWriteExecute=true       breaks LuaJIT (JIT writable+executable pages)
+#   SystemCallFilter=~@resources      breaks nginx workers' prlimit64()
+
 [Install]
 WantedBy=multi-user.target