diff --git a/Cargo.lock b/Cargo.lock
index fe248ae..208493a 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -594,6 +594,15 @@ version = "0.3.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d1a3ea4f0dd7f1f3e512cf97bf100819aa547f36a6eccac8dbaae839eb92363e"
 
+[[package]]
+name = "pledge"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "252599417b7d9a43b7fdc63dd790b0848666a8910b2ebe1a25118309c3c981e5"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "ppv-lite86"
 version = "0.2.15"
@@ -995,6 +1004,15 @@ version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3"
 
+[[package]]
+name = "unveil"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5e7fa867d559102001ec694165ed17d5f82e95213060a65f9c8b6280084bbfec"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "url"
 version = "2.2.2"
@@ -1014,11 +1032,13 @@ dependencies = [
  "anyhow",
  "envy",
  "ldap3",
+ "pledge",
  "reqwest",
  "serde",
  "serde_json",
  "thiserror",
  "toml",
+ "unveil",
 ]
 
 [[package]]
diff --git a/Cargo.toml b/Cargo.toml
index e77a22f..e361f35 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -13,3 +13,5 @@ serde_json = "1.0"
 thiserror = "1.0"
 anyhow = "1.0"
 envy = "0.4.1"
+pledge = "0.4.2"
+unveil = "0.3.2"
diff --git a/src/main.rs b/src/main.rs
index edee68a..27f85fb 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,5 +1,7 @@
 extern crate anyhow;
 extern crate ldap3;
+extern crate pledge;
+extern crate unveil;
 
 use std::collections::HashSet;
 use std::thread::sleep;
@@ -9,6 +11,8 @@ use anyhow::Context as _;
 use anyhow::Error as AnyError;
 use anyhow::Result;
 use ldap3::{DerefAliases, LdapConn, LdapConnSettings, Scope, SearchEntry, SearchOptions};
+use pledge::pledge;
+use unveil::unveil;
 
 mod config;
 mod vw_admin;
@@ -21,6 +25,16 @@ fn main() {
         config.get_vaultwarden_root_cert_file(),
     );
 
+    unveil(config::get_config_path(), "r")
+        .or_else(unveil::Error::ignore_platform)
+        .expect("Could not unveil config file");
+    unveil("", "")
+        .or_else(unveil::Error::ignore_platform)
+        .expect("Could not disable further unveils");
+    pledge("dns flock inet rpath stdio tty", "")
+        .or_else(pledge::Error::ignore_platform)
+        .expect("Could not pledge permissions");
+
     invite_users(&config, &mut client, config.get_ldap_sync_loop())
 }