diff --git a/internal/bugseti/config.go b/internal/bugseti/config.go
index 3a8af7b..88ad967 100644
--- a/internal/bugseti/config.go
+++ b/internal/bugseti/config.go
@@ -149,7 +149,7 @@ func (c *ConfigService) saveUnsafe() error {
 	if err != nil {
 		return err
 	}
-	return os.WriteFile(c.path, data, 0644)
+	return os.WriteFile(c.path, data, 0600)
 }
 
 // mergeDefaults fills in default values for any unset fields.
diff --git a/internal/bugseti/config_test.go b/internal/bugseti/config_test.go
new file mode 100644
index 0000000..19ed143
--- /dev/null
+++ b/internal/bugseti/config_test.go
@@ -0,0 +1,37 @@
+package bugseti
+
+import (
+	"os"
+	"testing"
+)
+
+func TestConfigPermissions(t *testing.T) {
+	// Get a temporary file path
+	f, err := os.CreateTemp("", "bugseti-config-*.json")
+	if err != nil {
+		t.Fatal(err)
+	}
+	name := f.Name()
+	f.Close()
+	os.Remove(name) // Ensure it doesn't exist
+	defer os.Remove(name)
+
+	c := &ConfigService{
+		path: name,
+		config: &Config{},
+	}
+
+	if err := c.Save(); err != nil {
+		t.Fatalf("Save failed: %v", err)
+	}
+
+	info, err := os.Stat(name)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	mode := info.Mode().Perm()
+	if mode != 0600 {
+		t.Errorf("expected file permissions 0600, got %04o", mode)
+	}
+}