diff --git a/pkgs/servers/http/nginx/default.nix b/pkgs/servers/http/nginx/default.nix
index 6944a89477a..cc95c60c7c2 100644
--- a/pkgs/servers/http/nginx/default.nix
+++ b/pkgs/servers/http/nginx/default.nix
@@ -1,6 +1,7 @@
 { stdenv, fetchurl, fetchFromGitHub, openssl, zlib, pcre, libxml2, libxslt, expat
 , gd, geoip
 , modules ? []
+, hardening ? true
 }:
 
 with stdenv.lib;
@@ -53,7 +54,14 @@ stdenv.mkDerivation rec {
 
   NIX_CFLAGS_COMPILE = [ "-I${libxml2}/include/libxml2" ] ++ optional stdenv.isDarwin "-Wno-error=deprecated-declarations -Wno-error=conditional-uninitialized";
 
-  preConfigure = concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules;
+  preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules)
+    + optionalString hardening ''
+      configureFlagsArray=(
+        --with-cc-opt="-fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2"
+        --with-ld-opt="-pie -Wl,-z,relro,-z,now"
+      )
+    ''
+    ;
 
   meta = {
     description = "A reverse proxy and lightweight webserver";
diff --git a/pkgs/servers/http/nginx/unstable.nix b/pkgs/servers/http/nginx/unstable.nix
index 5840dee0ba5..4ac1b0b268c 100644
--- a/pkgs/servers/http/nginx/unstable.nix
+++ b/pkgs/servers/http/nginx/unstable.nix
@@ -2,6 +2,7 @@
 , gd, geoip
 , withStream ? false
 , modules ? []
+, hardening ? true
 }:
 
 with stdenv.lib;
@@ -51,7 +52,14 @@ stdenv.mkDerivation rec {
 
   NIX_CFLAGS_COMPILE = [ "-I${libxml2}/include/libxml2" ] ++ optional stdenv.isDarwin "-Wno-error=deprecated-declarations";
 
-  preConfigure = concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules;
+  preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules)
+    + optionalString hardening ''
+      configureFlagsArray=(
+        --with-cc-opt="-fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2"
+        --with-ld-opt="-pie -Wl,-z,relro,-z,now"
+      )
+    ''
+    ;
 
   postInstall = ''
     mv $out/sbin $out/bin