diff --git a/manifests/init.pp b/manifests/init.pp
index bb6374be..d9742a82 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -394,7 +394,9 @@ class horizon(
   }
 
   concat { $::horizon::params::config_file:
-    mode    => '0644',
+    mode    => '0640',
+    owner   => $::horizon::params::wsgi_user,
+    group   => $::horizon::params::wsgi_group,
     require => Package['horizon'],
   }
 
diff --git a/releasenotes/notes/local-settings-permissions-666e7cd5d55cf813.yaml b/releasenotes/notes/local-settings-permissions-666e7cd5d55cf813.yaml
new file mode 100644
index 00000000..4d27de3a
--- /dev/null
+++ b/releasenotes/notes/local-settings-permissions-666e7cd5d55cf813.yaml
@@ -0,0 +1,4 @@
+---
+security:
+  - local_settings file is no longer world readable (from 644 to 640) as it may
+    contain sensitive information.