diff --git a/configure b/configure
index db67c5ec8..42e430436 100755
--- a/configure
+++ b/configure
@@ -5140,6 +5140,64 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
+  # This zeroes out variables that COULD be accessed before being set.
+  # We are generally very careful about this in our code, but 3rd party
+  # modules are not always so careful. And still useful in case we ourselves
+  # screw up.
+  ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -ftrivial-auto-var-init=zero" >&5
+printf %s "checking whether C compiler accepts -ftrivial-auto-var-init=zero... " >&6; }
+if test ${ax_cv_check_cflags__Werror___ftrivial_auto_var_init_zero+y}
+then :
+  printf %s "(cached) " >&6
+else case e in #(
+  e)
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS -Werror  -ftrivial-auto-var-init=zero"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main (void)
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"
+then :
+  ax_cv_check_cflags__Werror___ftrivial_auto_var_init_zero=yes
+else case e in #(
+  e) ax_cv_check_cflags__Werror___ftrivial_auto_var_init_zero=no ;;
+esac
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags ;;
+esac
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags__Werror___ftrivial_auto_var_init_zero" >&5
+printf "%s\n" "$ax_cv_check_cflags__Werror___ftrivial_auto_var_init_zero" >&6; }
+if test x"$ax_cv_check_cflags__Werror___ftrivial_auto_var_init_zero" = xyes
+then :
+  HARDEN_CFLAGS="$HARDEN_CFLAGS -ftrivial-auto-var-init=zero"
+else case e in #(
+  e) : ;;
+esac
+fi
+
+  ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
   # At the link step, we might want -pie (GCC) or -Wl,-pie (Clang on OS X)
   #
   # The linker checks also compile code, so we need to include -fPIE as well.
diff --git a/configure.ac b/configure.ac
index 4e98406b0..3150bad2e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -153,6 +153,12 @@ AS_IF([test x"$hardening" != x"no"], [
   # Clear registers on return (performance penalty, but acceptable, makes ROP harder)
   check_cc_flag([-fzero-call-used-regs=used-gpr], [HARDEN_CFLAGS="$HARDEN_CFLAGS -fzero-call-used-regs=used-gpr"])
 
+  # This zeroes out variables that COULD be accessed before being set.
+  # We are generally very careful about this in our code, but 3rd party
+  # modules are not always so careful. And still useful in case we ourselves
+  # screw up.
+  check_cc_flag([-ftrivial-auto-var-init=zero], [HARDEN_CFLAGS="$HARDEN_CFLAGS -ftrivial-auto-var-init=zero"])
+
   # At the link step, we might want -pie (GCC) or -Wl,-pie (Clang on OS X)
   #
   # The linker checks also compile code, so we need to include -fPIE as well.