diff --git a/src/cfgparse-global.c b/src/cfgparse-global.c
index dd37559..c083a05 100644
--- a/src/cfgparse-global.c
+++ b/src/cfgparse-global.c
@@ -94,6 +94,14 @@
 		else
 			global.tune.options |=  GTUNE_SET_DUMPABLE;
 	}
+	else if (!strcmp(args[0], "insecure-fork-wanted")) { /* "no insecure-fork-wanted" or "insecure-fork-wanted" */
+		if (alertif_too_many_args(0, file, linenum, args, &err_code))
+			goto out;
+		if (kwm == KWM_NO)
+			global.tune.options &= ~GTUNE_INSECURE_FORK;
+		else
+			global.tune.options |=  GTUNE_INSECURE_FORK;
+	}
 	else if (!strcmp(args[0], "nosplice")) {
 		if (alertif_too_many_args(0, file, linenum, args, &err_code))
 			goto out;
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 2e200e8..fdc19f4 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -2160,10 +2160,11 @@
 
 		if (kwm != KWM_STD && strcmp(args[0], "option") != 0 &&
 		    strcmp(args[0], "log") != 0 && strcmp(args[0], "busy-polling") != 0 &&
-		    strcmp(args[0], "set-dumpable") != 0 && strcmp(args[0], "strict-limits") != 0) {
+		    strcmp(args[0], "set-dumpable") != 0 && strcmp(args[0], "strict-limits") != 0 &&
+		    strcmp(args[0], "insecure-fork-wanted") != 0) {
 			ha_alert("parsing [%s:%d]: negation/default currently "
 				 "supported only for options, log, busy-polling, "
-				 "set-dumpable and strict-limits.\n", file, linenum);
+				 "set-dumpable, strict-limits, and insecure-fork-wanted.\n", file, linenum);
 			err_code |= ERR_ALERT | ERR_FATAL;
 		}
 
@@ -2549,6 +2550,11 @@
 					 curproxy->id, "option external-check");
 				cfgerr++;
 			}
+			if (!(global.tune.options & GTUNE_INSECURE_FORK)) {
+				ha_warning("Proxy '%s' : 'insecure-fork-wanted' not enabled in the global section, '%s' will likely fail.\n",
+					 curproxy->id, "option external-check");
+				err_code |= ERR_WARN;
+			}
 		}
 
 		if (curproxy->email_alert.set) {
diff --git a/src/checks.c b/src/checks.c
index 247caf1..909bd52 100644
--- a/src/checks.c
+++ b/src/checks.c
@@ -2012,7 +2012,9 @@
 
 	pid = fork();
 	if (pid < 0) {
-		ha_alert("Failed to fork process for external health check: %s. Aborting.\n",
+		ha_alert("Failed to fork process for external health check%s: %s. Aborting.\n",
+			 (global.tune.options & GTUNE_INSECURE_FORK) ?
+			 "" : " (likely caused by missing 'insecure-fork-wanted')",
 			 strerror(errno));
 		set_server_check_status(check, HCHK_STATUS_SOCKERR, strerror(errno));
 		goto out;
diff --git a/src/haproxy.c b/src/haproxy.c
index b03d0ad..7ba3ae1 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -2749,6 +2749,23 @@
 	pthread_mutex_unlock(&init_mutex);
 #endif
 
+#if defined(RLIMIT_NPROC)
+	/* all threads have started, it's now time to prevent any new thread
+	 * or process from starting. Obviously we do this in workers only. We
+	 * can't hard-fail on this one as it really is implementation dependent
+	 * though we're interested in feedback, hence the warning.
+	 */
+	if (!(global.tune.options & GTUNE_INSECURE_FORK) && !master) {
+		struct rlimit limit = { .rlim_cur = 0, .rlim_max = 0 };
+		static int warn_fail;
+
+		if (setrlimit(RLIMIT_NPROC, &limit) == -1 && !_HA_ATOMIC_XADD(&warn_fail, 1)) {
+			ha_warning("Failed to disable forks, please report to developers with detailed "
+				   "information about your operating system. You can silence this warning "
+				   "by adding 'insecure-fork-wanted' in the 'global' section.\n");
+		}
+	}
+#endif
 	run_poll_loop();
 
 	list_for_each_entry(ptdf, &per_thread_deinit_list, list)