From 237a013e0331cc6f497559079d17f4659ceecd8e Mon Sep 17 00:00:00 2001
From: NotAShelf <raf@notashelf.dev>
Date: Thu, 16 Apr 2026 16:02:43 +0300
Subject: [PATCH] build: harden default flags

Signed-off-by: NotAShelf <raf@notashelf.dev>
Change-Id: I9a86a035c2e35a8ccbac9c7672d82dcb6a6a6964
---
 Makefile | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index f26050d..9b83593 100644
--- a/Makefile
+++ b/Makefile
@@ -17,8 +17,10 @@ SYSTEMD_INSTALL = $(HOME)/.config/systemd/user
 # Compiler and flags
 CC = gcc
 CFLAGS = -std=c11 -Wall -Wextra -Werror -pedantic -O2 -g
-CFLAGS += -D_GNU_SOURCE -DCHROMA_VERSION=\"$(VERSION)\"
-CPPFLAGS = -I$(INCDIR)
+CFLAGS += -fstack-protector-strong -fstack-clash-protection
+CFLAGS += -fno-common -Wshadow -Wstrict-prototypes
+CFLAGS += -Wformat=2 -Wnormalized=nfc
+CFLAGS += -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE -DCHROMA_VERSION=\"$(VERSION)\"
 
 # Debug build flags
 DEBUG_CFLAGS = -std=c11 -Wall -Wextra -Werror -pedantic -Og -g3 -DDEBUG