Compiler Options Hardening Guide for C and C++ - OpenSSF / HN

When compiling C or C++ code on compilers such as GCC and clang, turn on these flags for detecting vulnerabilities at compile time and enable run-time protection mechanisms:

-O2 -Wall -Wformat -Wformat=2 -Wconversion -Wimplicit-fallthrough \
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 \
-D_GLIBCXX_ASSERTIONS \
-fstrict-flex-arrays=3 \
-fstack-clash-protection -fstack-protector-strong \
-Wl,-z,nodlopen -Wl,-z,noexecstack \
-Wl,-z,relro -Wl,-z,now

see also

• No more leaks with sanitize flags in gcc and clang - run a memory sanitizer inside your program
  • Catching sanitizer errors programmatically
• How to build highly-debuggable C++ binaries / HN