diff --git a/nixos/modules/services/web-apps/readeck.nix b/nixos/modules/services/web-apps/readeck.nix
index f0e7252f40bd..03ee4385e709 100644
--- a/nixos/modules/services/web-apps/readeck.nix
+++ b/nixos/modules/services/web-apps/readeck.nix
@@ -68,6 +68,7 @@ in
         ExecStart = "${lib.getExe cfg.package} serve -config ${configFile}";
         ProtectSystem = "full";
         SystemCallArchitectures = "native";
+        MemoryDenyWriteExecute = true;
         NoNewPrivileges = true;
         PrivateTmp = true;
         PrivateDevices = true;