diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix
index 53141cac5df..b4104f351ca 100644
--- a/pkgs/build-support/cc-wrapper/default.nix
+++ b/pkgs/build-support/cc-wrapper/default.nix
@@ -51,6 +51,8 @@
 
 # the derivation at which the `-B` and `-L` flags added by `useCcForLibs` will point
 , gccForLibs ? if useCcForLibs then cc else null
+, fortify-headers ? null
+, includeFortifyHeaders ? null
 }:
 
 with lib;
@@ -65,6 +67,10 @@ let
   stdenv = stdenvNoCC;
   inherit (stdenv) hostPlatform targetPlatform;
 
+  includeFortifyHeaders' = if includeFortifyHeaders != null
+    then includeFortifyHeaders
+    else targetPlatform.libc == "musl";
+
   # Prefix for binaries. Customarily ends with a dash separator.
   #
   # TODO(@Ericson2314) Make unconditional, or optional but always true by
@@ -165,6 +171,8 @@ let
     stdenv.targetPlatform.darwinMinVersionVariable;
 in
 
+assert includeFortifyHeaders' -> fortify-headers != null;
+
 # Ensure bintools matches
 assert libc_bin == bintools.libc_bin;
 assert libc_dev == bintools.libc_dev;
@@ -414,6 +422,16 @@ stdenv.mkDerivation {
 
       echo "${libc_lib}" > $out/nix-support/orig-libc
       echo "${libc_dev}" > $out/nix-support/orig-libc-dev
+    ''
+    # fortify-headers is a set of wrapper headers that augment libc
+    # and use #include_next to pass through to libc's true
+    # implementations, so must appear before them in search order.
+    # in theory a correctly placed -idirafter could be used, but in
+    # practice the compiler may have been built with a --with-headers
+    # like option that forces the libc headers before all -idirafter,
+    # hence -isystem here.
+    + optionalString includeFortifyHeaders' ''
+      echo "-isystem ${fortify-headers}/include" >> $out/nix-support/libc-cflags
     '')
 
     ##
diff --git a/pkgs/development/libraries/fortify-headers/default.nix b/pkgs/development/libraries/fortify-headers/default.nix
new file mode 100644
index 00000000000..befead87e6a
--- /dev/null
+++ b/pkgs/development/libraries/fortify-headers/default.nix
@@ -0,0 +1,34 @@
+{ lib
+, stdenv
+, fetchurl
+}:
+
+stdenv.mkDerivation {
+  pname = "fortify-headers";
+  version = "1.1alpine1";
+
+  # upstream only accessible via git - unusable during bootstrap, hence
+  # extract from the alpine package
+  src = fetchurl {
+    url = "https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/fortify-headers-1.1-r1.apk";
+    name = "fortify-headers.tar.gz";  # ensure it's extracted as a .tar.gz
+    hash = "sha256-A67NzUv+dldARY+MTaoVnezTg+Es8ZK/b7XOxA6KzpI=";
+  };
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out
+    cp -r include/fortify $out/include
+
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "Standalone header-based fortify-source implementation";
+    homepage = "https://git.2f30.org/fortify-headers";
+    license = lib.licenses.bsd0;
+    platforms = lib.platforms.all;
+    maintainers = with lib.maintainers; [ ris ];
+  };
+}
diff --git a/pkgs/stdenv/linux/default.nix b/pkgs/stdenv/linux/default.nix
index 0e483321b93..34fffd36aa6 100644
--- a/pkgs/stdenv/linux/default.nix
+++ b/pkgs/stdenv/linux/default.nix
@@ -194,6 +194,7 @@ let
           inherit lib;
           inherit (prevStage) coreutils gnugrep;
           stdenvNoCC = prevStage.ccWrapperStdenv;
+          fortify-headers = prevStage.fortify-headers;
         }).overrideAttrs(a: lib.optionalAttrs (prevStage.gcc-unwrapped.passthru.isXgcc or false) {
           # This affects only `xgcc` (the compiler which compiles the final compiler).
           postFixup = (a.postFixup or "") + ''
@@ -568,6 +569,7 @@ in
         inherit lib;
         inherit (self) stdenvNoCC coreutils gnugrep;
         shell = self.bash + "/bin/bash";
+        fortify-headers = self.fortify-headers;
       };
     };
     extraNativeBuildInputs = [
@@ -645,6 +647,7 @@ in
         ++  [ linuxHeaders # propagated from .dev
             binutils gcc gcc.cc gcc.cc.lib gcc.expand-response-params gcc.cc.libgcc glibc.passthru.libgcc
           ]
+        ++ lib.optionals (localSystem.libc == "musl") [ fortify-headers ]
         ++ [ prevStage.updateAutotoolsGnuConfigScriptsHook prevStage.gnu-config ]
         ++ (with gcc-unwrapped.passthru; [
           gmp libmpc mpfr isl
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 53dba21ce00..f9176ae3610 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -21097,6 +21097,8 @@ with pkgs;
 
   folks = callPackage ../development/libraries/folks { };
 
+  fortify-headers = callPackage ../development/libraries/fortify-headers { };
+
   makeFontsConf = let fontconfig_ = fontconfig; in {fontconfig ? fontconfig_, fontDirectories}:
     callPackage ../development/libraries/fontconfig/make-fonts-conf.nix {
       inherit fontconfig fontDirectories;