diff --git a/backend.go b/backend.go
index b101ccc..5d61147 100644
--- a/backend.go
+++ b/backend.go
@@ -87,6 +87,9 @@ func backendServer() {
 	if err != nil {
 		log.Panicf("unable to register shrinker: %s", err)
 	}
+	for _, h := range preservehooks {
+		h()
+	}
 	srv.Accept(lis)
 }
 
diff --git a/docs/changelog.txt b/docs/changelog.txt
index 70a195d..015ad98 100644
--- a/docs/changelog.txt
+++ b/docs/changelog.txt
@@ -2,6 +2,8 @@ changelog
 
 -- next
 
++ Unveil and pledge restrictions on OpenBSD.
+
 + Lists supported in markdown.
 
 + Rewrite admin console to avoid large dependencies.
diff --git a/unveil.go b/unveil.go
new file mode 100644
index 0000000..4650ae5
--- /dev/null
+++ b/unveil.go
@@ -0,0 +1,65 @@
+// +build openbsd
+
+//
+// Copyright (c) 2019 Ted Unangst <tedu@tedunangst.com>
+//
+// Permission to use, copy, modify, and distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+package main
+
+/*
+#include <stdlib.h>
+#include <unistd.h>
+*/
+import "C"
+
+import (
+	"fmt"
+	"unsafe"
+)
+
+func Unveil(path string, perms string) error {
+	cpath := C.CString(path)
+	defer C.free(unsafe.Pointer(cpath))
+	cperms := C.CString(perms)
+	defer C.free(unsafe.Pointer(cperms))
+
+	rv, err := C.unveil(cpath, cperms)
+	if rv != 0 {
+		return fmt.Errorf("unveil(%s, %s) failure (%d)", path, perms, err)
+	}
+	return nil
+}
+
+func Pledge(promises string) error {
+	cpromises := C.CString(promises)
+	defer C.free(unsafe.Pointer(cpromises))
+
+	rv, err := C.pledge(cpromises, nil)
+	if rv != 0 {
+		return fmt.Errorf("pledge(%s) failure (%d)", promises, err)
+	}
+	return nil
+}
+
+func init() {
+	preservehooks = append(preservehooks, func() {
+		Unveil("/etc/ssl", "r")
+		if viewDir != dataDir {
+			Unveil(viewDir, "r")
+		}
+		Unveil(dataDir, "rwc")
+		C.unveil(nil, nil)
+		Pledge("stdio rpath wpath cpath flock dns inet unix")
+	})
+}
diff --git a/web.go b/web.go
index 74c6fb0..376a839 100644
--- a/web.go
+++ b/web.go
@@ -2120,6 +2120,8 @@ sendloop:
 	os.Exit(0)
 }
 
+var preservehooks []func()
+
 func serve() {
 	db := opendatabase()
 	login.Init(db)
@@ -2160,6 +2162,10 @@ func serve() {
 		}
 	}
 
+	for _, h := range preservehooks {
+		h()
+	}
+
 	mux := mux.NewRouter()
 	mux.Use(login.Checker)