diff --git a/freebsd/Makefile b/freebsd/Makefile
index e6b78db..b46363a 100644
--- a/freebsd/Makefile
+++ b/freebsd/Makefile
@@ -27,6 +27,7 @@ all: spectrwm libswmhack.so.$(LVERS)
 spectrwm.c:
 	ln -sf ../spectrwm.c
 	ln -sf ../version.h
+	ln -sf ../linux/pledge.h
 
 swm_hack.c:
 	ln -sf ../lib/swm_hack.c
@@ -50,7 +51,7 @@ install: all
 	ln -sf spectrwm $(SWM_BINDIR)/scrotwm
 
 clean:
-	rm -f spectrwm *.o *.so libswmhack.so.* spectrwm.c swm_hack.c version.h
+	rm -f spectrwm *.o *.so libswmhack.so.* spectrwm.c swm_hack.c version.h pledge.h
 
 .PHONY:	all install clean
 
diff --git a/linux/pledge.h b/linux/pledge.h
new file mode 100644
index 0000000..ac646cc
--- /dev/null
+++ b/linux/pledge.h
@@ -0,0 +1 @@
+#define	pledge(promises, execpromises)	(0)
diff --git a/osx/Makefile b/osx/Makefile
index 898a1ac..a9a8eae 100644
--- a/osx/Makefile
+++ b/osx/Makefile
@@ -37,6 +37,7 @@ spectrwm.c:
 	ln -sf ../linux/tree.h
 	ln -sf ../spectrwm.c
 	ln -sf ../version.h
+	ln -sf ../linux/pledge.h
 
 swm_hack.c:
 	ln -sf ../lib/swm_hack.c
@@ -64,6 +65,6 @@ install: all
 	ln -sf libswmhack.so.0.0 $(DESTDIR)$(LIBDIR)/libswmhack.so
 
 clean:
-	rm -f spectrwm *.o *.so libswmhack.so.* spectrwm.c swm_hack.c tree.h version.h
+	rm -f spectrwm *.o *.so libswmhack.so.* spectrwm.c swm_hack.c tree.h version.h pledge.h
 
 .PHONY: all install clean
diff --git a/spectrwm.c b/spectrwm.c
index ad26d70..99784af 100644
--- a/spectrwm.c
+++ b/spectrwm.c
@@ -54,6 +54,9 @@
 #include <fcntl.h>
 #include <locale.h>
 #include <paths.h>
+#if !defined(__OpenBSD__)
+#include "pledge.h"
+#endif
 #include <pwd.h>
 #include <regex.h>
 #include <signal.h>
@@ -3863,6 +3866,9 @@ spawn(int ws_idx, union arg *args, bool close_fd)
 	if (args == NULL || args->argv[0] == NULL)
 		return;
 
+	if (pledge("stdio proc exec", NULL) == -1)
+		err(1, "pledge");
+
 	DNPRINTF(SWM_D_MISC, "%s\n", args->argv[0]);
 
 	close(xcb_get_file_descriptor(conn));
@@ -12452,6 +12458,9 @@ main(int argc, char *argv[])
 	if (setlocale(LC_CTYPE, "") == NULL || setlocale(LC_TIME, "") == NULL)
 		warnx("no locale support");
 
+	if (pledge("stdio rpath proc exec getpw dns unix", NULL) == -1)
+		err(1, "pledge");
+
 	/* handle some signals */
 	bzero(&sact, sizeof(sact));
 	sigemptyset(&sact.sa_mask);
@@ -12478,6 +12487,9 @@ main(int argc, char *argv[])
 	xcb_prefetch_extension_data(conn, &xcb_randr_id);
 	xfd = xcb_get_file_descriptor(conn);
 
+	if (pledge("stdio rpath proc exec getpw", NULL) == -1)
+		err(1, "pledge");
+
 	/* look for local and global conf file */
 	pwd = getpwuid(getuid());
 	if (pwd == NULL)