diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 5239fb18..b7af93fd 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -35,7 +35,7 @@ jobs:
       - name: Configure
         env:
           CC: ${{ matrix.compiler }}
-        run: cmake -B build -G "Ninja" -DENABLE_WERROR=ON
+        run: cmake -B build -G "Ninja" -DENABLE_WERROR=ON -DENABLE_HARDENING=ON
 
       - name: Build
         run: cmake --build build
diff --git a/cmake/WoofSettings.cmake b/cmake/WoofSettings.cmake
index a49c7b60..0193bee8 100644
--- a/cmake/WoofSettings.cmake
+++ b/cmake/WoofSettings.cmake
@@ -44,12 +44,6 @@ _checked_add_compile_option(-Wnull-dereference)
 _checked_add_compile_option(-Wredundant-decls)
 _checked_add_compile_option(-Wrestrict)
 
-# Hardening flags (from dpkg-buildflags)
-
-_checked_add_compile_option(-fstack-protector-strong)
-_checked_add_compile_option(-D_FORTIFY_SOURCE=2)
-_checked_add_link_option(-Wl,-z,relro)
-
 if(MSVC)
     # Silence the usual warnings for POSIX and standard C functions.
     list(APPEND COMMON_COMPILE_OPTIONS "/D_CRT_NONSTDC_NO_DEPRECATE")
@@ -93,6 +87,13 @@ if(ENABLE_ASAN)
     _checked_add_link_option(-fsanitize=address)
 endif()
 
+option(ENABLE_HARDENING "Enable hardening flags" OFF)
+if(ENABLE_HARDENING)
+    _checked_add_compile_option(-fstack-protector-strong)
+    _checked_add_compile_option(-D_FORTIFY_SOURCE=2)
+    _checked_add_link_option(-Wl,-z,relro)
+endif()
+
 if(${FORCE_COLORED_OUTPUT})
     _checked_add_compile_option(-fdiagnostics-color=always F_DIAG_COLOR)
     if (NOT F_DIAG_COLOR)