diff --git a/CMakeLists.txt b/CMakeLists.txt
index 6b13f717..919c95d5 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -7,6 +7,17 @@ project(deepin-reader
     LANGUAGES CXX C
 )
 
+if(CMAKE_BUILD_TYPE STREQUAL "Release")
+    message("Enable build hardening.")
+
+    set(CMAKE_VERBOSE_MAKEFILE ON)
+
+    set(HARDENING_FLAGS "-Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix-map=${CMAKE_SOURCE_DIR}=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security")
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${HARDENING_FLAGS}")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${HARDENING_FLAGS}")
+    set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,-z,relro -Wl,-z,now")
+endif()
+
 # 设置C++标准
 set(CMAKE_CXX_STANDARD 17)
 set(CMAKE_CXX_STANDARD_REQUIRED ON)
diff --git a/reader/reader.pro b/reader/reader.pro
index 54750246..a1810e98 100755
--- a/reader/reader.pro
+++ b/reader/reader.pro
@@ -44,12 +44,12 @@ DEFINES += QMAKE_INSTALL_PREFIX=\"\\\"$$PREFIX\\\"\"
 #QMAKE_LFLAGS += -g -fsanitize=undefined,address -O2
 
 #安全编译参数
-QMAKE_CFLAGS += -fstack-protector-strong -D_FORTITY_SOURCE=1 -z noexecstack -pie -fPIC -z lazy
-QMAKE_CXXFLAGS += -fstack-protector-strong -D_FORTITY_SOURCE=1 -z noexecstack -pie -fPIC -z lazy
+QMAKE_CFLAGS += -fstack-protector-strong -D_FORTITY_SOURCE=1 -z noexecstack -pie -fPIC -z lazy -D_FORTIFY_SOURCE=2 -O2
+QMAKE_CXXFLAGS += -fstack-protector-strong -D_FORTITY_SOURCE=1 -z noexecstack -pie -fPIC -z lazy -D_FORTIFY_SOURCE=2 -O2
 
 QMAKE_CXXFLAGS += -fPIE
 
-QMAKE_LFLAGS += -pie
+QMAKE_LFLAGS += -pie -Wl,-z,relro -Wl,-z,now
 
 DEFINES += APP_VERSION=\\\"$$VERSION\\\"
 message("APP_VERSION: "$$VERSION)