diff --git a/configure.ac b/configure.ac
index 66d4aa7..3c91f13 100644
--- a/configure.ac
+++ b/configure.ac
@@ -44,6 +44,51 @@ AC_ARG_ENABLE([compile-warnings],
 AC_SUBST([WARNING_CXXFLAGS])
 AC_SUBST([PICKY_CXXFLAGS])
 
+# We use the same hardening flags for C and C++.  We must check that each flag
+# is supported by both compilers.
+AC_DEFUN([check_cc_cxx_flag],
+ [AC_LANG_PUSH(C)
+  AX_CHECK_COMPILE_FLAG([$1],
+   [AC_LANG_PUSH(C++)
+    AX_CHECK_COMPILE_FLAG([$1], [$2], [$3], [-Werror $4])
+    AC_LANG_POP(C++)],
+   [$3], [-Werror $4])
+  AC_LANG_POP(C)])
+AC_DEFUN([check_link_flag],
+ [AX_CHECK_LINK_FLAG([$1], [$2], [$3], [-Werror $4])])
+
+AC_ARG_ENABLE([hardening],
+  [AS_HELP_STRING([--enable-hardening],
+    [Enable compiler and linker options to frustrate memory corruption exploits @<:@yes@:>@])],
+  [hardening="$enableval"],
+  [hardening="yes"])
+
+HARDEN_CFLAGS=""
+HARDEN_LDFLAGS=""
+AS_IF([test x"$hardening" != x"no"], [
+  check_cc_cxx_flag([-fno-strict-overflow], [HARDEN_CFLAGS="$HARDEN_CFLAGS -fno-strict-overflow"])
+
+  # This one will likely succeed, even on platforms where it does nothing.
+  check_cc_cxx_flag([-D_FORTIFY_SOURCE=2], [HARDEN_CFLAGS="$HARDEN_CFLAGS -D_FORTIFY_SOURCE=2"])
+
+  check_cc_cxx_flag([-fstack-protector-all],
+   [HARDEN_CFLAGS="$HARDEN_CFLAGS -fstack-protector-all"
+    check_cc_cxx_flag([-Wstack-protector], [HARDEN_CFLAGS="$HARDEN_CFLAGS -Wstack-protector"],
+      [], [-fstack-protector-all])
+    check_cc_cxx_flag([--param ssp-buffer-size=1], [HARDEN_CFLAGS="$HARDEN_CFLAGS --param ssp-buffer-size=1"],
+      [], [-fstack-protector-all])])
+
+  check_cc_cxx_flag([-fPIE],
+   [check_link_flag([-pie],
+     [HARDEN_CFLAGS="$HARDEN_CFLAGS -fPIE"
+      HARDEN_LDFLAGS="$HARDEN_LDFLAGS -pie"])])
+
+  check_link_flag([-Wl,-z,relro],
+   [HARDEN_LDFLAGS="$HARDEN_LDFLAGS -Wl,-z,relro"
+    check_link_flag([-Wl,-z,now], [HARDEN_LDFLAGS="$HARDEN_LDFLAGS -Wl,-z,now"])])])
+AC_SUBST([HARDEN_CFLAGS])
+AC_SUBST([HARDEN_LDFLAGS])
+
 AC_ARG_ENABLE([client],
   [AS_HELP_STRING([--enable-client], [Build the mosh-client program @<:@yes@:>@])],
   [build_client="$enableval"],