diff --git a/pkgs/build-support/bintools-wrapper/add-hardening.sh b/pkgs/build-support/bintools-wrapper/add-hardening.sh
index c81c3b2f210..19321fcb18b 100644
--- a/pkgs/build-support/bintools-wrapper/add-hardening.sh
+++ b/pkgs/build-support/bintools-wrapper/add-hardening.sh
@@ -1,4 +1,4 @@
-hardeningFlags=()
+declare -a hardeningLDFlags=()
 
 declare -A hardeningEnableMap=()
 
@@ -11,14 +11,14 @@ done
 
 # Remove unsupported flags.
 for flag in @hardening_unsupported_flags@; do
-  unset hardeningEnableMap[$flag]
+  unset -v hardeningEnableMap["$flag"]
 done
 
 if (( "${NIX_DEBUG:-0}" >= 1 )); then
   # Determine which flags were effectively disabled so we can report below.
-  allHardeningFlags=(pie relro bindnow)
+  declare -a allHardeningFlags=(pie relro bindnow)
   declare -A hardeningDisableMap=()
-  for flag in ${allHardeningFlags[@]}; do
+  for flag in "${allHardeningFlags[@]}"; do
     if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then
       hardeningDisableMap[$flag]=1
     fi
@@ -27,12 +27,12 @@ if (( "${NIX_DEBUG:-0}" >= 1 )); then
   printf 'HARDENING: disabled flags:' >&2
   (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2
   echo >&2
-fi
 
-if (( "${#hardeningEnableMap[@]}" )); then
-  if (( "${NIX_DEBUG:-0}" >= 1 )); then
+  if (( "${#hardeningEnableMap[@]}" )); then
     echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2;
   fi
+fi
+
   for flag in "${!hardeningEnableMap[@]}"; do
       case $flag in
         pie)
@@ -55,4 +55,3 @@ if (( "${#hardeningEnableMap[@]}" )); then
           ;;
       esac
   done
-fi
diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh
index 7fdfb615f7f..c8c95d2def4 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@@ -1,4 +1,4 @@
-hardeningCFlags=()
+declare -a hardeningCFlags=()
 
 declare -A hardeningEnableMap=()
 
@@ -11,14 +11,14 @@ done
 
 # Remove unsupported flags.
 for flag in @hardening_unsupported_flags@; do
-  unset hardeningEnableMap[$flag]
+  unset -v hardeningEnableMap["$flag"]
 done
 
 if (( "${NIX_DEBUG:-0}" >= 1 )); then
   # Determine which flags were effectively disabled so we can report below.
-  allHardeningFlags=(fortify stackprotector pie pic strictoverflow format)
+  declare -a allHardeningFlags=(fortify stackprotector pie pic strictoverflow format)
   declare -A hardeningDisableMap=()
-  for flag in ${allHardeningFlags[@]}; do
+  for flag in "${allHardeningFlags[@]}"; do
     if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then
       hardeningDisableMap[$flag]=1
     fi
@@ -27,12 +27,12 @@ if (( "${NIX_DEBUG:-0}" >= 1 )); then
   printf 'HARDENING: disabled flags:' >&2
   (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2
   echo >&2
-fi
 
-if (( "${#hardeningEnableMap[@]}" )); then
-  if (( "${NIX_DEBUG:-0}" >= 1 )); then
+  if (( "${#hardeningEnableMap[@]}" )); then
     echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2;
   fi
+fi
+
   for flag in "${!hardeningEnableMap[@]}"; do
       case $flag in
         fortify)
@@ -69,4 +69,3 @@ if (( "${#hardeningEnableMap[@]}" )); then
           ;;
       esac
   done
-fi