Compiler Options Hardening Guide for C and C++

Summary

Compiler Options Hardening Guide for C and C++ by the Open Source Security Foundation (OpenSSF) Best Practices Working Group, 2025-03-28 This document is a guide for compiler and linker options that contribute to delivering reliable and secure code using native (or cross) toolchains for C and C++. The objective of compiler options hardening is to produce application binaries (executables) with security mechanisms against potential attacks and/or misbehavior. Hardened compiler options should also produce applications that integrate well with existing platform security features in modern operating systems (OSs). Effectively configuring the compiler options also has several benefits during development such as enhanced compiler warnings, static analysis, and debug instrumentation. This document is intended for: Those who write C or C++ code, to help them ensure that resulting code will work with hardened options, including for embedded devices, Internet of Things devices, smartphones, and personal computers. Those who build C or C++ code for use in production environments, including Linux distributions, device makers, and those who compile C or C++ for their local environment. This document focuses on recommended options for the GNU Compiler Collection (GCC) and Clang/LLVM, and we expect the recommendations to be applicable to other compilers based on GCC and Clang technology. In the future, we aim to expand to guide to also cover other compilers, such as Microsoft MSVC. TL;DR: What compiler options should I use? When compiling C or C++ code on compilers such as GCC and clang, turn on these flags in all cases for detecting vulnerabilities at compile time and enable run-time protection mechanisms: -O2 -Wall -Wformat -Wformat=2 -Wconversion -Wimplicit-fallthrough \ -Werror=format-security \ -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 \ -D_GLIBCXX_ASSERTIONS \ -fstrict-flex-arrays=3 \ -fstack-clash-protection -fstack-protector-strong \ -Wl,-z,nodlopen -Wl,-z,noexecstack \ -Wl,-z...