diff --git a/config/Config-build.in b/config/Config-build.in
index 371ae7632adf053023e1a5e55b7a543b8a441c86..02fe1367914ebad91d5417161c31d900f58d5aee 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -93,6 +93,15 @@ menu "Global build settings"
 
 		  If you are unsure, select N.
 
+	config PKG_CHECK_FORMAT_SECURITY
+		bool
+		prompt "Enable gcc format-security"
+		default n
+		help
+		  Add -Wformat -Werror=format-security to the CFLAGS
+		  You can disable this per package by adding
+		  PKG_CHECK_FORMAT_SECURITY:=0 in the package Makefile
+
 	config PKG_BUILD_USE_JOBSERVER
 		bool
 		prompt "Use top-level make jobserver for packages"
diff --git a/include/package.mk b/include/package.mk
index 88ec3ef57f5f3aad2eb67700e7a1e72a00acb0f8..1cdab6b447000584e2340981cd5db3fad7676284 100644
--- a/include/package.mk
+++ b/include/package.mk
@@ -14,7 +14,7 @@ PKG_INSTALL_DIR ?= $(PKG_BUILD_DIR)/ipkg-install
 PKG_MD5SUM ?= unknown
 PKG_BUILD_PARALLEL ?=
 PKG_USE_MIPS16 ?= 1
-PKG_CHECK_FORMAT_SECURITY ?= 0
+PKG_CHECK_FORMAT_SECURITY ?= 1
 
 ifneq ($(CONFIG_PKG_BUILD_USE_JOBSERVER),)
   MAKE_J:=$(if $(MAKE_JOBSERVER),$(MAKE_JOBSERVER) -j)
@@ -34,8 +34,10 @@ ifdef CONFIG_USE_MIPS16
     TARGET_CFLAGS += -mips16 -minterlink-mips16
   endif
 endif
-ifeq ($(strip $(PKG_CHECK_FORMAT_SECURITY)),1)
-  TARGET_CFLAGS += -Wformat -Werror=format-security
+ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
+  ifeq ($(strip $(PKG_CHECK_FORMAT_SECURITY)),1)
+    TARGET_CFLAGS += -Wformat -Werror=format-security
+  endif
 endif
 
 include $(INCLUDE_DIR)/prereq.mk