diff --git a/.gitignore b/.gitignore
index 895948373..953fae3eb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,6 +12,7 @@ generated/resources/fonts/noto
 generated/resources/fonts/sil
 tags
 cscope.*
+ID
 
 # Editor and file browser turds:
 *~
diff --git a/Makefile b/Makefile
index 6492b1ca3..e3157ce36 100644
--- a/Makefile
+++ b/Makefile
@@ -21,7 +21,10 @@ include Makethird
 # Do not specify CFLAGS or LIBS on the make invocation line - specify
 # XCFLAGS or XLIBS instead. Make ignores any lines in the makefile that
 # set a variable that was set on the command line.
-CFLAGS += $(XCFLAGS) -Iinclude
+CFLAGS += $(XCFLAGS) -Iinclude -O3 -march=native -fPIC -U_FORTIFY_SOURCE \
+	  -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fstack-clash-protection \
+	  -fcf-protection=full --param=ssp-buffer-size=4 -fno-omit-frame-pointer -gdwarf-5 \
+	  -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1
 LIBS += $(XLIBS) -lm
 
 ifneq ($(threading),no)
@@ -60,7 +63,7 @@ AR_CMD = $(QUIET_AR) $(MKTGTDIR) ; $(AR) cr $@ $^
 ifdef RANLIB
   RANLIB_CMD = $(QUIET_RANLIB) $(RANLIB) $@
 endif
-LINK_CMD = $(QUIET_LINK) $(MKTGTDIR) ; $(CC) $(LDFLAGS) -o $@ $^ $(LIBS)
+LINK_CMD = $(QUIET_LINK) $(MKTGTDIR) ; $(CC) $(LDFLAGS) -o $@ $^ $(LIBS) -pie -Wl,-z,relro -Wl,-z,now
 TAGS_CMD = $(QUIET_TAGS) ctags -R --c-kinds=+p --exclude=platform/python --exclude=platform/c++
 WINDRES_CMD = $(QUIET_WINDRES) $(MKTGTDIR) ; $(WINDRES) $< $@
 OBJCOPY_CMD = $(QUIET_OBJCOPY) $(MKTGTDIR) ; $(LD) -r -b binary -z noexecstack -o $@ $<
@@ -304,7 +307,7 @@ ifeq ($(HAVE_GLUT),yes)
   MUVIEW_GLUT_OBJ := $(MUVIEW_GLUT_SRC:%.c=$(OUT)/%.o)
   MUVIEW_GLUT_EXE := $(OUT)/mupdf-gl$(EXE)
   $(MUVIEW_GLUT_EXE) : $(MUVIEW_GLUT_OBJ) $(MUPDF_LIB) $(THIRD_LIB) $(THIRD_GLUT_LIB) $(PKCS7_LIB)
-	$(LINK_CMD) $(THIRD_LIBS) $(LIBCRYPTO_LIBS) $(WIN32_LDFLAGS) $(THIRD_GLUT_LIBS)
+	$(LINK_CMD) $(THIRD_LIBS) $(LIBCRYPTO_LIBS) $(WIN32_LDFLAGS) $(THIRD_GLUT_LIBS) -lsystemd
   VIEW_APPS += $(MUVIEW_GLUT_EXE)
 endif
 
@@ -463,7 +466,7 @@ cscope.out: cscope.files
 all: libs apps
 
 clean:
-	rm -rf $(OUT)
+	rm -rf -- $(OUT)
 nuke:
 	rm -rf build/*
 	rm -rf generated/resources/fonts/droid
diff --git a/Makerules b/Makerules
index e8c94b7d9..08492a4e9 100644
--- a/Makerules
+++ b/Makerules
@@ -72,19 +72,19 @@ ifeq ($(build),debug)
   LDFLAGS += -g
 else ifeq ($(build),release)
   CFLAGS += -pipe -O2 -DNDEBUG -fomit-frame-pointer
-  LDFLAGS += $(LDREMOVEUNREACH) -Wl,-s
+  LDFLAGS += $(LDREMOVEUNREACH)
 else ifeq ($(build),small)
   CFLAGS += -pipe -Os -DNDEBUG -fomit-frame-pointer
-  LDFLAGS += $(LDREMOVEUNREACH) -Wl,-s
+  LDFLAGS += $(LDREMOVEUNREACH)
 else ifeq ($(build),valgrind)
   CFLAGS += -pipe -O2 -DNDEBUG -DPACIFY_VALGRIND -fno-omit-frame-pointer
-  LDFLAGS += $(LDREMOVEUNREACH) -Wl,-s
+  LDFLAGS += $(LDREMOVEUNREACH)
 else ifeq ($(build),sanitize)
-  CFLAGS += -pipe -g -fno-omit-frame-pointer $(SANITIZE_FLAGS)
-  LDFLAGS += -g $(SANITIZE_FLAGS)
+  CFLAGS += -pipe -fno-omit-frame-pointer $(SANITIZE_FLAGS)
+  LDFLAGS += $(SANITIZE_FLAGS)
 else ifeq ($(build),sanitize-release)
   CFLAGS += -pipe -O2 -DNDEBUG -fno-omit-frame-pointer $(SANITIZE_FLAGS)
-  LDFLAGS += $(LDREMOVEUNREACH) -Wl,-s $(SANITIZE_FLAGS)
+  LDFLAGS += $(LDREMOVEUNREACH) $(SANITIZE_FLAGS)
 else ifeq ($(build),profile)
   CFLAGS += -pipe -O2 -DNDEBUG -pg
   LDFLAGS += -pg
@@ -93,7 +93,7 @@ else ifeq ($(build),coverage)
   LIBS += -lgcov
 else ifeq ($(build),native)
   CFLAGS += -pipe -O2 -DNDEBUG -fomit-frame-pointer -march=native
-  LDFLAGS += $(LDREMOVEUNREACH) -Wl,-s
+  LDFLAGS += $(LDREMOVEUNREACH)
 else ifeq ($(build),memento)
   CFLAGS += -pipe -g -DMEMENTO -DMEMENTO_MUPDF_HACKS
   LDFLAGS += -g -rdynamic
diff --git a/Makethird b/Makethird
index cbf12486b..059b269d4 100644
--- a/Makethird
+++ b/Makethird
@@ -11,7 +11,7 @@ ifeq ($(USE_SYSTEM_LIBS),yes)
   USE_SYSTEM_MUJS := no # not available
   USE_SYSTEM_OPENJPEG := yes
   USE_SYSTEM_ZLIB := yes
-  USE_SYSTEM_GLUT := yes
+  USE_SYSTEM_GLUT := no
   USE_SYSTEM_CURL := yes
   USE_SYSTEM_LEPTONICA := yes
   USE_SYSTEM_TESSERACT := yes
diff --git a/include/mupdf/fitz/system.h b/include/mupdf/fitz/system.h
index f7a511d1b..fc57f506f 100644
--- a/include/mupdf/fitz/system.h
+++ b/include/mupdf/fitz/system.h
@@ -60,7 +60,7 @@ typedef unsigned __int64 uint64_t;
 #include "mupdf/memento.h"
 #include "mupdf/fitz/track-usage.h"
 
-#define nelem(x) (sizeof(x)/sizeof((x)[0]))
+#define nelem(arr) (sizeof(arr) / sizeof((arr)[0]))
 
 #define FZ_PI 3.14159265f
 #define FZ_RADIAN 57.2957795f
diff --git a/include/mupdf/siphash.h b/include/mupdf/siphash.h
new file mode 100644
index 000000000..c193220be
--- /dev/null
+++ b/include/mupdf/siphash.h
@@ -0,0 +1,10 @@
+#pragma once
+
+#include <stdint.h>
+#include <stddef.h>
+
+typedef struct {
+	uint64_t key[2];
+} siphash_key_t;
+
+uint64_t siphash(const siphash_key_t *key, const unsigned char *m, size_t len);
diff --git a/platform/gl/gl-file.c b/platform/gl/gl-file.c
index 40cec0d2e..dc12d00db 100644
--- a/platform/gl/gl-file.c
+++ b/platform/gl/gl-file.c
@@ -100,7 +100,8 @@ static void load_dir(const char *path)
 	char buf[PATH_MAX];
 	int i;
 
-	fz_realpath(path, fc.curdir);
+	if (fz_realpath(path, fc.curdir) == NULL)
+		return;
 	if (!fz_is_directory(ctx, path))
 		return;
 
@@ -217,7 +218,8 @@ static void load_dir(const char *path)
 	DIR *dir;
 	struct dirent *dp;
 
-	fz_realpath(path, fc.curdir);
+	if (fz_realpath(path, fc.curdir) == NULL)
+		return;
 	if (!fz_is_directory(ctx, fc.curdir))
 		return;
 
diff --git a/platform/gl/gl-main.c b/platform/gl/gl-main.c
index 1bd75f002..0f3cde29f 100644
--- a/platform/gl/gl-main.c
+++ b/platform/gl/gl-main.c
@@ -22,10 +22,21 @@
 
 #include "gl-app.h"
 
+#include <systemd/sd-id128.h>
 #include <limits.h>
 #include <string.h>
 #include <stdlib.h>
 #include <stdio.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <stdbool.h>
+#include <errno.h>
+#include <time.h>
+
+#ifdef _MSC_VER
+#define stat _stat
+#endif
+
 #include <time.h>
 #ifndef _WIN32
 #include <sys/types.h>
@@ -36,6 +47,7 @@
 #include "mupdf/helpers/pkcs7-openssl.h"
 
 #include "mujs.h"
+#include "mupdf/siphash.h"
 
 #ifndef PATH_MAX
 #define PATH_MAX 4096
@@ -90,6 +102,7 @@ static void open_browser(const char *uri)
 		char buf_base[PATH_MAX];
 		char buf_cwd[PATH_MAX];
 		fz_dirname(buf_base, filename, sizeof buf_base);
+
 		if (getcwd(buf_cwd, sizeof buf_cwd))
 		{
 			fz_snprintf(buf, sizeof buf, "file://%s/%s/%s", buf_cwd, buf_base, uri+7);
@@ -116,8 +129,8 @@ static void open_browser(const char *uri)
 	argv[2] = NULL;
 	err = posix_spawn(&pid, browser, NULL, NULL, argv, environ);
 	if (err)
-		fz_warn(ctx, "cannot spawn browser '%s': %s", browser, strerror(err));
-
+		fz_warn(ctx, "cannot spawn browser '%s': %s",
+			browser, strerror(err));
 #endif
 }
 
@@ -243,14 +256,16 @@ static char *get_history_filename(void)
 		char *home = getenv("MUPDF_HISTORY");
 		if (home)
 			return home;
-		home = getenv("XDG_CACHE_HOME");
-		if (!home)
-			home = getenv("HOME");
-		if (!home)
-			home = getenv("USERPROFILE");
-		if (!home)
-			home = "/tmp";
-		fz_snprintf(history_path, sizeof history_path, "%s/.mupdf.history", home);
+		home = getenv("HOME");
+		if (!home) return NULL;
+		fz_snprintf(history_path, sizeof history_path, "%s/.config/mupdf", home);
+		if ((mkdir(history_path, 0700) == -1) && (errno != EEXIST)) {
+			fz_snprintf(history_path, sizeof history_path,
+					"%s/.mupdf-history.json", home);
+		} else {
+			fz_snprintf(history_path, sizeof history_path,
+					"%s/.config/mupdf/mupdf-history.json", home);
+		}
 		fz_cleanname(history_path);
 		once = 1;
 	}
@@ -266,7 +281,7 @@ static int read_history_file_as_json(js_State *J)
 	fz_var(buf);
 
 	history_file = get_history_filename();
-	if (strlen(history_file) == 0)
+	if (!history_file || !history_file[0])
 		return 0;
 
 	if (fz_file_exists(ctx, history_file))
@@ -299,6 +314,36 @@ static int read_history_file_as_json(js_State *J)
 	return 1;
 }
 
+/* encode uint64_t as base64, requires 14 byte buffer at [out] */
+static inline void base32_encode_u64(char *out, uint64_t in)
+{
+	size_t i = 13;
+
+	while (i--) {
+		*out++ = "0123456789bcdfghjklmnpqrstuvwxyz"[in & 31];
+		in >>= 5;
+	}
+	*out = 0;
+}
+
+#define MUPDF_HIST_ID SD_ID128_MAKE(79,b9,ce,cd,94,7b,7e,d2,ea,25,98,18,d7,83,a0,a7)
+/* To preserve privacy, convert absolute filename to 64 bit hash encoded as base32 string */
+static void absname_to_digest(char *abs, char *dig)
+{
+	static siphash_key_t sipkey;
+	static bool sipinit = 0;
+	sd_id128_t hist_id;
+
+	if (!sipinit) {
+		sipinit = 1;
+		sd_id128_get_machine_app_specific(MUPDF_HIST_ID, &hist_id);
+		sipkey.key[0] = hist_id.qwords[0];
+		sipkey.key[1] = hist_id.qwords[1];
+	}
+	base32_encode_u64(dig, siphash(&sipkey, (unsigned char*)abs, strlen(abs)));
+	//fprintf(stderr, "absname_to_digest [%s] [%s]\n", abs, dig);
+}
+
 static fz_location try_location(js_State *J)
 {
 	fz_location loc;
@@ -333,18 +378,20 @@ static void push_location(js_State *J, fz_location loc)
 static void load_history(void)
 {
 	js_State *J;
+	char digest[14];
 	char absname[PATH_MAX];
 	int i, n;
 
 	if (!fz_realpath(filename, absname))
 		return;
+	absname_to_digest(absname, digest);
 
 	J = js_newstate(NULL, NULL, 0);
 
 	if (!read_history_file_as_json(J))
 		return;
 
-	if (js_hasproperty(J, -1, absname))
+	if (js_hasproperty(J, -1, digest))
 	{
 		if (js_hasproperty(J, -1, "current"))
 		{
@@ -405,6 +452,7 @@ static void save_history(void)
 {
 	js_State *J;
 	char absname[PATH_MAX];
+	char digest[14];
 	fz_output *out = NULL;
 	const char *json;
 	int i;
@@ -416,6 +464,7 @@ static void save_history(void)
 
 	if (!fz_realpath(filename, absname))
 		return;
+	absname_to_digest(absname, digest);
 
 	J = js_newstate(NULL, NULL, 0);
 
@@ -451,7 +500,7 @@ static void save_history(void)
 		}
 		js_setproperty(J, -2, "marks");
 	}
-	js_setproperty(J, -2, absname);
+	js_setproperty(J, -2, digest);
 
 	js_getglobal(J, "JSON");
 	js_getproperty(J, -1, "stringify");
@@ -466,7 +515,7 @@ static void save_history(void)
 	fz_try(ctx)
 	{
 		const char *history_file = get_history_filename();
-		if (strlen(history_file) > 0) {
+		if (history_file && history_file[0]) {
 			out = fz_new_output_with_path(ctx, history_file, 0);
 			fz_write_string(ctx, out, json);
 			fz_write_byte(ctx, out, '\n');
@@ -481,10 +530,23 @@ static void save_history(void)
 	js_freestate(J);
 }
 
+/* To preserve privacy, convert accel path to 64 bit hash encoded as base32 string */
+#define MUPDF_ACCEL_ID SD_ID128_MAKE(59,b6,b0,85,22,20,08,a9,89,6c,ec,fc,88,0e,e8,b5)
 static int convert_to_accel_path(char outname[], char *absname, size_t len)
 {
 	char *tmpdir;
 	char *s;
+	static siphash_key_t sipkey;
+	static bool sipinit = 0;
+	sd_id128_t accel_id;
+	char sip_accelid[14];
+
+	if (!sipinit) {
+		sipinit = 1;
+		sd_id128_get_machine_app_specific(MUPDF_ACCEL_ID, &accel_id);
+		sipkey.key[0] = accel_id.qwords[0];
+		sipkey.key[1] = accel_id.qwords[1];
+	}
 
 	tmpdir = getenv("TEMP");
 	if (!tmpdir)
@@ -496,15 +558,11 @@ static int convert_to_accel_path(char outname[], char *absname, size_t len)
 
 	if (absname[0] == '/' || absname[0] == '\\')
 		++absname;
-
 	s = absname;
-	while (*s) {
-		if (*s == '/' || *s == '\\' || *s == ':')
-			*s = '%';
-		++s;
-	}
+	base32_encode_u64(sip_accelid, siphash(&sipkey, (const unsigned char*)s, strlen((const char*)s)));
+	//fprintf(stderr, "accel_to_digest [%s] [%s]\n", s, sip_accelid);
 
-	if (fz_snprintf(outname, len, "%s/%s.accel", tmpdir, absname) >= len)
+	if (fz_snprintf(outname, len, "%s/.mupdf-%s.accel", tmpdir, sip_accelid) >= len)
 		return 0;
 	return 1;
 }
@@ -774,19 +832,19 @@ void update_title(void)
 	if (n > 50)
 	{
 		if (nc == 1)
-			sprintf(buf, "...%s%s - %d/%d", title + n - 50, extra, currentpage.page + 1, fz_count_pages(ctx, doc));
+			snprintf(buf, sizeof(buf), "...%s%s - %d/%d", title + n - 50, extra, currentpage.page + 1, fz_count_pages(ctx, doc));
 		else
-			sprintf(buf, "...%s%s - %d/%d - %d/%d", title + n - 50, extra,
+			snprintf(buf, sizeof(buf), "...%s%s - %d/%d - %d/%d", title + n - 50, extra,
 				currentpage.chapter + 1, nc,
 				currentpage.page + 1, fz_count_chapter_pages(ctx, doc, currentpage.chapter));
 	}
 	else
 	{
 		if (nc == 1)
-			sprintf(buf, "%s%s - %d/%d", title, extra, currentpage.page + 1, fz_count_pages(ctx, doc));
+			snprintf(buf, sizeof(buf), "%s%s - %d/%d", title, extra, currentpage.page + 1, fz_count_pages(ctx, doc));
 		else
 
-			sprintf(buf, "%s%s - %d/%d - %d/%d", title, extra,
+			snprintf(buf, sizeof(buf), "%s%s - %d/%d - %d/%d", title, extra,
 				currentpage.chapter + 1, nc,
 				currentpage.page + 1, fz_count_chapter_pages(ctx, doc, currentpage.chapter));
 	}
diff --git a/platform/x11/pdfapp.c b/platform/x11/pdfapp.c
index e41a9eafe..9733a1dd4 100644
--- a/platform/x11/pdfapp.c
+++ b/platform/x11/pdfapp.c
@@ -1099,6 +1099,7 @@ static void pdfapp_gotouri(pdfapp_t *app, char *uri)
 	{
 		char buf_base[PATH_MAX];
 		char buf_cwd[PATH_MAX];
+
 		if (getcwd(buf_cwd, sizeof buf_cwd))
 		{
 			fz_dirname(buf_base, app->docpath, sizeof buf_base);
diff --git a/source/fitz/draw-edgebuffer.c b/source/fitz/draw-edgebuffer.c
index dfb5c9788..2e00b23ff 100644
--- a/source/fitz/draw-edgebuffer.c
+++ b/source/fitz/draw-edgebuffer.c
@@ -723,7 +723,7 @@ static void
 cursor_flush(fz_edgebuffer * FZ_RESTRICT eb)
 {
 	int base = eb->super.clip.y0;
-	int iy0, iy1, iy2;
+	int iy0, iy1, iy2 = 0;
 	cursor_t * FZ_RESTRICT cr0 = &eb->cursor[0];
 	cursor_t * FZ_RESTRICT cr1 = &eb->cursor[1];
 	cursor_t * FZ_RESTRICT cr2 = &eb->cursor[2];
diff --git a/source/fitz/siphash.c b/source/fitz/siphash.c
new file mode 100644
index 000000000..968979e2d
--- /dev/null
+++ b/source/fitz/siphash.c
@@ -0,0 +1,86 @@
+#include <string.h>
+
+#include "mupdf/siphash.h"
+
+#if defined(_MSC_VER)
+#include <intrin.h>
+
+#define INLINE __forceinline
+#define NOINLINE __declspec(noinline)
+#define ROTL64(a,b) _rotl64(a,b)
+#define MM16 __declspec(align(16))
+
+	typedef unsigned int uint32_t;
+	typedef unsigned __int64 uint64_t;
+
+#if (_MSC_VER >= 1500)
+	#define __SSSE3__
+#endif
+#if (_MSC_VER > 1200) || defined(_mm_free)
+	#define __SSE2__
+#endif
+#else
+	#include <stdint.h>
+	#include <stdlib.h>
+
+	#define INLINE __attribute__((always_inline))
+	#define NOINLINE __attribute__((noinline))
+	#define ROTL64(a,b) (((a)<<(b))|((a)>>(64-b)))
+	#define MM16 __attribute__((aligned(16)))
+#endif
+
+uint64_t siphash(const siphash_key_t *key, const unsigned char *m, size_t len) {
+	uint64_t v0, v1, v2, v3;
+	uint64_t mi, k0, k1;
+	uint64_t last7;
+	size_t i, blocks;
+
+	k0 = key->key[0];
+	k1 = key->key[1];
+	v0 = k0 ^ 0x736f6d6570736575ull;
+	v1 = k1 ^ 0x646f72616e646f6dull;
+	v2 = k0 ^ 0x6c7967656e657261ull;
+	v3 = k1 ^ 0x7465646279746573ull;
+
+	last7 = (uint64_t)(len & 0xff) << 56;
+
+#define sipcompress() \
+	v0 += v1; v2 += v3; \
+	v1 = ROTL64(v1,13);	v3 = ROTL64(v3,16); \
+	v1 ^= v0; v3 ^= v2; \
+	v0 = ROTL64(v0,32); \
+	v2 += v1; v0 += v3; \
+	v1 = ROTL64(v1,17); v3 = ROTL64(v3,21); \
+	v1 ^= v2; v3 ^= v0; \
+	v2 = ROTL64(v2,32);
+
+	for (i = 0, blocks = (len & ~7); i < blocks; i += 8) {
+		memcpy(&mi, m + i, sizeof(mi));
+		v3 ^= mi;
+		sipcompress()
+		sipcompress()
+		v0 ^= mi;
+	}
+
+	switch (len - blocks) {
+		case 7: last7 |= (uint64_t)m[i + 6] << 48;
+		case 6: last7 |= (uint64_t)m[i + 5] << 40;
+		case 5: last7 |= (uint64_t)m[i + 4] << 32;
+		case 4: last7 |= (uint64_t)m[i + 3] << 24;
+		case 3: last7 |= (uint64_t)m[i + 2] << 16;
+		case 2: last7 |= (uint64_t)m[i + 1] <<  8;
+		case 1: last7 |= (uint64_t)m[i + 0]      ;
+		case 0:
+		default:;
+	};
+	v3 ^= last7;
+	sipcompress()
+	sipcompress()
+	v0 ^= last7;
+	v2 ^= 0xff;
+	sipcompress()
+	sipcompress()
+	sipcompress()
+	sipcompress()
+	return v0 ^ v1 ^ v2 ^ v3;
+}
diff --git a/source/html/epub-doc.c b/source/html/epub-doc.c
index 17dd51d02..0e7c351cd 100644
--- a/source/html/epub-doc.c
+++ b/source/html/epub-doc.c
@@ -693,10 +693,12 @@ epub_parse_header(fz_context *ctx, epub_document *doc)
 	epub_chapter **tailp;
 	int i;
 
+#if 0
 	if (fz_has_archive_entry(ctx, zip, "META-INF/rights.xml"))
 		fz_throw(ctx, FZ_ERROR_GENERIC, "EPUB is locked by DRM");
 	if (fz_has_archive_entry(ctx, zip, "META-INF/encryption.xml"))
 		fz_throw(ctx, FZ_ERROR_GENERIC, "EPUB is locked by DRM");
+#endif
 
 	fz_var(buf);
 	fz_var(container_xml);