diff --git a/src/systemd/cockpit-wsinstance-http.service.in b/src/systemd/cockpit-wsinstance-http.service.in
index f2fc0328e3ce..93daff3c3257 100644
--- a/src/systemd/cockpit-wsinstance-http.service.in
+++ b/src/systemd/cockpit-wsinstance-http.service.in
@@ -9,3 +9,17 @@ After=cockpit-session.socket
 ExecStart=@libexecdir@/cockpit-ws --no-tls --port=0
 DynamicUser=true
 Group=cockpit-session-socket
+
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+MemoryDenyWriteExecute=true
+SystemCallFilter=@system-service
+
+# cockpit-tls does all our outside networking
+PrivateNetwork=yes
+PrivateIPC=yes
+RestrictAddressFamilies=AF_UNIX
+
+# extra protection for our TLS keys -- only cockpit-tls should read them
+InaccessiblePaths=-/etc/cockpit/ws-certs.d
diff --git a/src/systemd/cockpit-wsinstance-https@.service.in b/src/systemd/cockpit-wsinstance-https@.service.in
index 8362f0aadfc5..acfbc42bf3d4 100644
--- a/src/systemd/cockpit-wsinstance-https@.service.in
+++ b/src/systemd/cockpit-wsinstance-https@.service.in
@@ -10,3 +10,17 @@ Slice=system-cockpithttps.slice
 ExecStart=@libexecdir@/cockpit-ws --for-tls-proxy --port=0
 DynamicUser=yes
 Group=cockpit-session-socket
+
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+MemoryDenyWriteExecute=true
+SystemCallFilter=@system-service
+
+# cockpit-tls does all our outside networking
+PrivateNetwork=yes
+PrivateIPC=yes
+RestrictAddressFamilies=AF_UNIX
+
+# extra protection for our TLS keys -- only cockpit-tls should read them
+InaccessiblePaths=-/etc/cockpit/ws-certs.d