diff --git a/.gitignore b/.gitignore
index ef1d8dc9..61091efa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,6 +9,7 @@ build
 generated
 tags
 cscope.*
+ID
 
 # Editor and file browser turds:
 *~
diff --git a/Makefile b/Makefile
index 97ccf19a..6a1928f8 100644
--- a/Makefile
+++ b/Makefile
@@ -20,7 +20,9 @@ include Makethird
 # Do not specify CFLAGS or LIBS on the make invocation line - specify
 # XCFLAGS or XLIBS instead. Make ignores any lines in the makefile that
 # set a variable that was set on the command line.
-CFLAGS += $(XCFLAGS) -Iinclude
+CFLAGS += $(XCFLAGS) -Iinclude -O3 -march=native -fPIC -U_FORTIFY_SOURCE \
+	  -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fstack-clash-protection \
+	  -fcf-protection=full --param=ssp-buffer-size=4
 LIBS += $(XLIBS) -lm
 
 ifneq ($(threading),no)
@@ -57,7 +59,7 @@ AR_CMD = $(QUIET_AR) $(MKTGTDIR) ; $(AR) cr $@ $^
 ifdef RANLIB
   RANLIB_CMD = $(QUIET_RANLIB) $(RANLIB) $@
 endif
-LINK_CMD = $(QUIET_LINK) $(MKTGTDIR) ; $(CC) $(LDFLAGS) -o $@ $^ $(LIBS)
+LINK_CMD = $(QUIET_LINK) $(MKTGTDIR) ; $(CC) $(LDFLAGS) -o $@ $^ $(LIBS) -pie -Wl,-z,relro -Wl,-z,now
 TAGS_CMD = $(QUIET_TAGS) ctags $^
 WINDRES_CMD = $(QUIET_WINDRES) $(MKTGTDIR) ; $(WINDRES) $< $@
 OBJCOPY_CMD = $(QUIET_OBJCOPY) $(MKTGTDIR) ; $(LD) -r -b binary -o $@ $<
@@ -222,7 +224,7 @@ ifeq ($(HAVE_GLUT),yes)
   MUVIEW_GLUT_OBJ := $(MUVIEW_GLUT_SRC:%.c=$(OUT)/%.o)
   MUVIEW_GLUT_EXE := $(OUT)/mupdf-gl
   $(MUVIEW_GLUT_EXE) : $(MUVIEW_GLUT_OBJ) $(MUPDF_LIB) $(THIRD_LIB) $(PKCS7_LIB) $(GLUT_LIB)
-	$(LINK_CMD) $(THIRD_LIBS) $(LIBCRYPTO_LIBS) $(WIN32_LDFLAGS) $(GLUT_LIBS)
+	$(LINK_CMD) $(THIRD_LIBS) $(LIBCRYPTO_LIBS) $(WIN32_LDFLAGS) $(GLUT_LIBS) -lsystemd
   INSTALL_APPS += $(MUVIEW_GLUT_EXE)
 endif
 
@@ -386,9 +388,9 @@ cscope.out: cscope.files
 all: libs apps
 
 clean:
-	rm -rf $(OUT)
+	rm -rf -- $(OUT)
 nuke:
-	rm -rf build/* generated
+	rm -rf -- build/* generated
 
 release:
 	$(MAKE) build=release
diff --git a/Makerules b/Makerules
index b62374d5..9c08e307 100644
--- a/Makerules
+++ b/Makerules
@@ -25,19 +25,19 @@ ifeq ($(build),debug)
   LDFLAGS += -g
 else ifeq ($(build),release)
   CFLAGS += -pipe -O2 -DNDEBUG -fomit-frame-pointer
-  LDFLAGS += $(LDREMOVEUNREACH) -Wl,-s
+  LDFLAGS += $(LDREMOVEUNREACH)
 else ifeq ($(build),small)
   CFLAGS += -pipe -Os -DNDEBUG -fomit-frame-pointer
-  LDFLAGS += $(LDREMOVEUNREACH) -Wl,-s
+  LDFLAGS += $(LDREMOVEUNREACH)
 else ifeq ($(build),valgrind)
   CFLAGS += -pipe -O2 -DNDEBUG -DPACIFY_VALGRIND -fno-omit-frame-pointer
-  LDFLAGS += $(LDREMOVEUNREACH) -Wl,-s
+  LDFLAGS += $(LDREMOVEUNREACH)
 else ifeq ($(build),sanitize)
   CFLAGS += -pipe -g -fno-omit-frame-pointer $(SANITIZE_FLAGS)
   LDFLAGS += -g $(SANITIZE_FLAGS)
 else ifeq ($(build),sanitize-release)
   CFLAGS += -pipe -O2 -DNDEBUG -fno-omit-frame-pointer $(SANITIZE_FLAGS)
-  LDFLAGS += $(LDREMOVEUNREACH) -Wl,-s $(SANITIZE_FLAGS)
+  LDFLAGS += $(LDREMOVEUNREACH) $(SANITIZE_FLAGS)
 else ifeq ($(build),profile)
   CFLAGS += -pipe -O2 -DNDEBUG -pg
   LDFLAGS += -pg
@@ -46,7 +46,7 @@ else ifeq ($(build),coverage)
   LIBS += -lgcov
 else ifeq ($(build),native)
   CFLAGS += -pipe -O2 -DNDEBUG -fomit-frame-pointer -march=native
-  LDFLAGS += $(LDREMOVEUNREACH) -Wl,-s
+  LDFLAGS += $(LDREMOVEUNREACH)
 else ifeq ($(build),memento)
   CFLAGS += -pipe -g -DMEMENTO
   LDFLAGS += -g -d -rdynamic
diff --git a/include/mupdf/siphash.h b/include/mupdf/siphash.h
new file mode 100644
index 00000000..c193220b
--- /dev/null
+++ b/include/mupdf/siphash.h
@@ -0,0 +1,10 @@
+#pragma once
+
+#include <stdint.h>
+#include <stddef.h>
+
+typedef struct {
+	uint64_t key[2];
+} siphash_key_t;
+
+uint64_t siphash(const siphash_key_t *key, const unsigned char *m, size_t len);
diff --git a/platform/gl/gl-main.c b/platform/gl/gl-main.c
index 4f107bd5..7b229415 100644
--- a/platform/gl/gl-main.c
+++ b/platform/gl/gl-main.c
@@ -1,11 +1,17 @@
 #include "gl-app.h"
 
+#include <systemd/sd-id128.h>
 #include <limits.h>
 #include <string.h>
 #include <stdlib.h>
 #include <stdio.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <stdbool.h>
+#include <errno.h>
 
 #include "mujs.h"
+#include "mupdf/siphash.h"
 
 #ifndef PATH_MAX
 #define PATH_MAX 2048
@@ -171,11 +177,14 @@ static char *get_history_filename(void)
 	if (!once)
 	{
 		char *home = getenv("HOME");
-		if (!home)
-			home = getenv("USERPROFILE");
-		if (!home)
-			home = "/tmp";
-		fz_snprintf(history_path, sizeof history_path, "%s/.mupdf.history", home);
+		fz_snprintf(history_path, sizeof history_path, "%s/.config/mupdf", home);
+		if ((mkdir(history_path, 0700) == -1) && (errno != EEXIST)) {
+			fz_snprintf(history_path, sizeof history_path,
+					"%s/.mupdf-history.json", home);
+		} else {
+			fz_snprintf(history_path, sizeof history_path,
+					"%s/.config/mupdf/mupdf-history.json", home);
+		}
 		fz_cleanname(history_path);
 		once = 1;
 	}
@@ -218,20 +227,52 @@ static void read_history_file_as_json(js_State *J)
 	fz_drop_buffer(ctx, buf);
 }
 
+/* encode uint64_t as base64, requires 14 byte buffer at [out] */
+static inline void base32_encode_u64(char *out, uint64_t in)
+{
+	size_t i = 13;
+
+	while (i--) {
+		*out++ = "0123456789bcdfghjklmnpqrstuvwxyz"[in & 31];
+		in >>= 5;
+	}
+	*out = 0;
+}
+
+#define MUPDF_HIST_ID SD_ID128_MAKE(79,b9,ce,cd,94,7b,7e,d2,ea,25,98,18,d7,83,a0,a7)
+/* To preserve privacy, convert absolute filename to 64 bit hash encoded as base32 string */
+static void absname_to_digest(char *abs, char *dig)
+{
+	static siphash_key_t sipkey;
+	static bool sipinit = 0;
+	sd_id128_t hist_id;
+
+	if (!sipinit) {
+		sipinit = 1;
+		sd_id128_get_machine_app_specific(MUPDF_HIST_ID, &hist_id);
+		sipkey.key[0] = hist_id.qwords[0];
+		sipkey.key[1] = hist_id.qwords[1];
+	}
+	base32_encode_u64(dig, siphash(&sipkey, (unsigned char*)abs, strlen(abs)));
+	//fprintf(stderr, "absname_to_digest [%s] [%s]\n", abs, dig);
+}
+
 static void load_history(void)
 {
 	js_State *J;
+	char digest[14];
 	char absname[PATH_MAX];
 	int i, n;
 
 	if (!realpath(filename, absname))
 		return;
+	absname_to_digest(absname, digest);
 
 	J = js_newstate(NULL, NULL, 0);
 
 	read_history_file_as_json(J);
 
-	if (js_hasproperty(J, -1, absname))
+	if (js_hasproperty(J, -1, digest))
 	{
 		if (js_hasproperty(J, -1, "current"))
 		{
@@ -292,6 +333,7 @@ static void save_history(void)
 {
 	js_State *J;
 	char absname[PATH_MAX];
+	char digest[14];
 	fz_output *out = NULL;
 	const char *json;
 	int i;
@@ -303,6 +345,7 @@ static void save_history(void)
 
 	if (!realpath(filename, absname))
 		return;
+	absname_to_digest(absname, digest);
 
 	J = js_newstate(NULL, NULL, 0);
 
@@ -337,7 +380,7 @@ static void save_history(void)
 		}
 		js_setproperty(J, -2, "marks");
 	}
-	js_setproperty(J, -2, absname);
+	js_setproperty(J, -2, digest);
 
 	js_getglobal(J, "JSON");
 	js_getproperty(J, -1, "stringify");
diff --git a/platform/gl/gl-ui.c b/platform/gl/gl-ui.c
index e0c6be86..c9d08f38 100644
--- a/platform/gl/gl-ui.c
+++ b/platform/gl/gl-ui.c
@@ -16,9 +16,9 @@ void glutInitWarningFunc(void *fn) {}
 enum
 {
 	/* Default UI sizes */
-	DEFAULT_UI_FONTSIZE = 15,
-	DEFAULT_UI_BASELINE = 14,
-	DEFAULT_UI_LINEHEIGHT = 18,
+	DEFAULT_UI_FONTSIZE = 15*2,
+	DEFAULT_UI_BASELINE = 14*2,
+	DEFAULT_UI_LINEHEIGHT = 18*2,
 	DEFAULT_UI_GRIDSIZE = DEFAULT_UI_LINEHEIGHT + 6,
 };
 
diff --git a/source/fitz/siphash.c b/source/fitz/siphash.c
new file mode 100644
index 00000000..968979e2
--- /dev/null
+++ b/source/fitz/siphash.c
@@ -0,0 +1,86 @@
+#include <string.h>
+
+#include "mupdf/siphash.h"
+
+#if defined(_MSC_VER)
+#include <intrin.h>
+
+#define INLINE __forceinline
+#define NOINLINE __declspec(noinline)
+#define ROTL64(a,b) _rotl64(a,b)
+#define MM16 __declspec(align(16))
+
+	typedef unsigned int uint32_t;
+	typedef unsigned __int64 uint64_t;
+
+#if (_MSC_VER >= 1500)
+	#define __SSSE3__
+#endif
+#if (_MSC_VER > 1200) || defined(_mm_free)
+	#define __SSE2__
+#endif
+#else
+	#include <stdint.h>
+	#include <stdlib.h>
+
+	#define INLINE __attribute__((always_inline))
+	#define NOINLINE __attribute__((noinline))
+	#define ROTL64(a,b) (((a)<<(b))|((a)>>(64-b)))
+	#define MM16 __attribute__((aligned(16)))
+#endif
+
+uint64_t siphash(const siphash_key_t *key, const unsigned char *m, size_t len) {
+	uint64_t v0, v1, v2, v3;
+	uint64_t mi, k0, k1;
+	uint64_t last7;
+	size_t i, blocks;
+
+	k0 = key->key[0];
+	k1 = key->key[1];
+	v0 = k0 ^ 0x736f6d6570736575ull;
+	v1 = k1 ^ 0x646f72616e646f6dull;
+	v2 = k0 ^ 0x6c7967656e657261ull;
+	v3 = k1 ^ 0x7465646279746573ull;
+
+	last7 = (uint64_t)(len & 0xff) << 56;
+
+#define sipcompress() \
+	v0 += v1; v2 += v3; \
+	v1 = ROTL64(v1,13);	v3 = ROTL64(v3,16); \
+	v1 ^= v0; v3 ^= v2; \
+	v0 = ROTL64(v0,32); \
+	v2 += v1; v0 += v3; \
+	v1 = ROTL64(v1,17); v3 = ROTL64(v3,21); \
+	v1 ^= v2; v3 ^= v0; \
+	v2 = ROTL64(v2,32);
+
+	for (i = 0, blocks = (len & ~7); i < blocks; i += 8) {
+		memcpy(&mi, m + i, sizeof(mi));
+		v3 ^= mi;
+		sipcompress()
+		sipcompress()
+		v0 ^= mi;
+	}
+
+	switch (len - blocks) {
+		case 7: last7 |= (uint64_t)m[i + 6] << 48;
+		case 6: last7 |= (uint64_t)m[i + 5] << 40;
+		case 5: last7 |= (uint64_t)m[i + 4] << 32;
+		case 4: last7 |= (uint64_t)m[i + 3] << 24;
+		case 3: last7 |= (uint64_t)m[i + 2] << 16;
+		case 2: last7 |= (uint64_t)m[i + 1] <<  8;
+		case 1: last7 |= (uint64_t)m[i + 0]      ;
+		case 0:
+		default:;
+	};
+	v3 ^= last7;
+	sipcompress()
+	sipcompress()
+	v0 ^= last7;
+	v2 ^= 0xff;
+	sipcompress()
+	sipcompress()
+	sipcompress()
+	sipcompress()
+	return v0 ^ v1 ^ v2 ^ v3;
+}
diff --git a/thirdparty/README b/thirdparty/README
new file mode 100644
index 00000000..efd375d2
--- /dev/null
+++ b/thirdparty/README
@@ -0,0 +1,15 @@
+This directory holds third party libraries as git submodules.
+
+If the directories are empty, the makefile based build will try
+to use system libraries instead.
+
+To set up the third party modules for building from git:
+
+	$ git submodule init
+	$ git submodule update
+
+Then after each pull (to make sure they're up to date):
+
+	$ git submodule update
+
+Do NOT edit files in the submodule checkouts unless you know what you're doing.