diff --git a/admin_manual/configuration_server/background_jobs_configuration.rst b/admin_manual/configuration_server/background_jobs_configuration.rst
index dcce976cc56..3f6a691df2c 100644
--- a/admin_manual/configuration_server/background_jobs_configuration.rst
+++ b/admin_manual/configuration_server/background_jobs_configuration.rst
@@ -139,6 +139,37 @@ This approach requires two files: **nextcloudcron.service** and **nextcloudcron.
   ExecStart=/usr/bin/php -f /var/www/nextcloud/cron.php
   KillMode=process
 
+  # Optional security hardening
+  CapabilityBoundingSet=
+  DevicePolicy=closed
+  LockPersonality=yes
+  NoNewPrivileges=yes
+  PrivateDevices=yes
+  PrivateIPC=yes
+  PrivateMounts=yes
+  PrivateTmp=yes
+  PrivateUsers=yes
+  ProcSubset=pid
+  ProtectClock=yes
+  ProtectControlGroups=yes
+  ProtectHostname=yes
+  ProtectKernelLogs=yes
+  ProtectKernelModules=yes
+  ProtectKernelTunables=yes
+  ProtectProc=invisible
+  ProtectSystem=strict
+  RemoveIPC=yes
+  RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+  RestrictNamespaces=yes
+  RestrictRealtime=yes
+  RestrictSUIDSGID=yes
+  SecureBits=noroot-locked
+  SystemCallArchitectures=native
+  SystemCallFilter=@system-service
+  SystemCallFilter=~@privileged
+  SystemCallFilter=~@resources
+  UMask=0077
+
 Replace the user ``www-data`` with the user of your http server and ``/var/www/nextcloud/cron.php`` with the location of **cron.php** in your nextcloud directory.
 
 The `ExecCondition` checks that the nextcloud instance is operating normally before running the background job, and skips it if otherwise.