diff --git a/examples/systemd/node_exporter.service b/examples/systemd/node_exporter.service
index 1ef24442d2..a4a5e7cae1 100644
--- a/examples/systemd/node_exporter.service
+++ b/examples/systemd/node_exporter.service
@@ -8,6 +8,45 @@ User=node_exporter
 Environment=OPTIONS=
 EnvironmentFile=-/etc/sysconfig/node_exporter
 ExecStart=/usr/sbin/node_exporter --web.systemd-socket $OPTIONS
+ProtectClock=true
+ProtectHome=read-only
+ProtectSystem=true
+NoNewPrivileges=true
+MemoryDenyWriteExecute=true
+CapabilityBoundingSet=~CAP_KILL
+CapabilityBoundingSet=~CAP_SYS_MODULE
+CapabilityBoundingSet=~CAP_SYS_BOOT
+CapabilityBoundingSet=~CAP_SYSLOG
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND
+CapabilityBoundingSet=~CAP_SYS_PTRACE
+CapabilityBoundingSet=~CAP_SYS_ADMIN
+CapabilityBoundingSet=~CAP_NET_ADMIN
+CapabilityBoundingSet=~CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=~CAP_NET_RAW
+CapabilityBoundingSet=~CAP_CHOWN
+CapabilityBoundingSet=~CAP_SETFCAP
+CapabilityBoundingSet=~CAP_SETUID
+CapabilityBoundingSet=~CAP_SETGID
+CapabilityBoundingSet=~CAP_SETPCAP
+CapabilityBoundingSet=~CAP_FSETID
+CapabilityBoundingSet=~CAP_NET_BROADCAST
+CapabilityBoundingSet=~CAP_BPF
+CapabilityBoundingSet=~CAP_SYS_RAWIO
+CapabilityBoundingSet=~CAP_SYS_PACCT
+ProtectHostname=true
+SystemCallFilter=~@mount
+SystemCallFilter=~@swap
+SystemCallFilter=~@debug
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@reboot
+SystemCallFilter=~@module
+SystemCallFilter=~@cpu-emulation
+PrivateTmp=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+SystemCallArchitectures=native
+RestrictSUIDSGID=true
 
 [Install]
 WantedBy=multi-user.target