diff --git a/src/main.rs b/src/main.rs
index 3b412f2..82f5ade 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,4 +1,5 @@
 use std::env;
+use std::os::unix::fs::PermissionsExt;
 use std::path::PathBuf;
 use std::sync::atomic::Ordering::SeqCst;
 use std::sync::atomic::{AtomicBool, AtomicU64, Ordering};
@@ -59,6 +60,12 @@ async fn config_reloader(notify: Arc<Notify>) {
 
 async fn socket_server(disabled: Arc<AtomicBool>, notify: Arc<Notify>) {
     let listener = UnixListener::bind(SOCKET_PATH).expect("Failed to bind socket");
+
+    match std::fs::set_permissions(SOCKET_PATH, std::fs::Permissions::from_mode(0o600)) {
+        Ok(_) => trace!("socket file permissions set"),
+        Err(e) => error!("Failed to set socket file permissions: {e}"),
+    };
+
     trace!("socket server bound");
     let notification: NotifyState =
         match hinoirisetr::notify::InitializedNotificationSystem::new("hinoirisetr") {