diff --git a/citus.spec b/citus.spec
index 96e0c77bc..4cc5ddddd 100644
--- a/citus.spec
+++ b/citus.spec
@@ -34,8 +34,24 @@ commands.
 %prep
 %setup -q -n %{sname}-%{version}
 
+# Flags taken from: https://liquid.microsoft.com/Web/Object/Read/ms.security/Requirements/Microsoft.Security.SystemsADM.10203#guide
+SECURITY_CFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2 -z noexecstack -fpic -Wl,-z,relro -Wl,-z,now -Wformat -Wformat-security -Werror=format-security"
+
+currentgccver="$(gcc -dumpversion)"
+requiredgccver="4.8.2"
+if [ "$(printf '%s\n' "$requiredgccver" "$currentgccver" | sort -V | tail -n1)" = "$requiredgccver" ]; then
+      echo WARNING: Using slower security flags because of outdated compiler
+      SECURITY_CFLAGS="-fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -z noexecstack -fpic -Wl,-z,relro -Wl,-z,now -Wformat -Wformat-security -Werror=format-security"
+    fi
+fi
+
+gccgte8=$(expr `gcc -dumpversion | cut -f1 -d.` \>= 8)
+ifeq "$(gccgte8)" "1"
+    SECURITY_CFLAGS += -fstack-clash-protection
+endif
+
 %build
-%configure PG_CONFIG=%{pginstdir}/bin/pg_config --with-extra-version="%{?conf_extra_version}"
+%configure PG_CONFIG=%{pginstdir}/bin/pg_config --with-extra-version="%{?conf_extra_version}" CC=$(command -v gcc) CFLAGS="$SECURITY_CFLAGS"
 make %{?_smp_mflags}
 
 %install
diff --git a/debian/check-gcc-version.sh b/debian/check-gcc-version.sh
new file mode 100755
index 000000000..4f036d7cf
--- /dev/null
+++ b/debian/check-gcc-version.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+set -euxo pipefail
+
+currentgccver="$($(pg_config --cc) -dumpversion)"
+requiredgccver="4.8.2"
+if [ "$(printf '%s\n' "$requiredgccver" "$currentgccver" | sort -V | tail -n1)" = "$requiredgccver" ]; then
+    echo ERROR: At least GCC version "$requiredgccver" is needed
+    exit 1
+fi
diff --git a/debian/rules b/debian/rules
index d7bbf511e..b3bf0fb5f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -2,8 +2,17 @@
 
 include /usr/share/postgresql-common/pgxs_debian_control.mk
 
+# Flags taken from: https://liquid.microsoft.com/Web/Object/Read/ms.security/Requirements/Microsoft.Security.SystemsADM.10203#guide
+SECURITY_CFLAGS=-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2 -z noexecstack -fpic -Wl,-z,relro -Wl,-z,now -Wformat -Wformat-security -Werror=format-security
+
+GCCVERSIONGTE8=$(shell expr `gcc -dumpversion | cut -f1 -d.` \>= 8)
+ifeq "$(GCCVERSIONGTE8)" "1"
+    # if gcc version is greater than or equal to 8 we should also use this flag
+    SECURITY_CFLAGS += -fstack-clash-protection
+endif
+
 override_dh_auto_build:
-	+pg_buildext build build-%v
+	+pg_buildext build build-%v '$(CFLAGS) $(SECURITY_CFLAGS)'
 
 override_dh_auto_clean:
 	+pg_buildext clean build-%v
@@ -12,6 +21,7 @@ override_dh_auto_test:
 	# nothing to do here, see debian/tests/* instead
 
 override_dh_auto_configure:
+	debian/check-gcc-version.sh
 	+pg_buildext configure build-%v --with-extra-version="$${CONF_EXTRA_VERSION:-}"
 
 override_dh_auto_install: