diff --git a/charts/db-backup/values.yaml b/charts/db-backup/values.yaml
index cc058163df2..b5f52c51b5e 100644
--- a/charts/db-backup/values.yaml
+++ b/charts/db-backup/values.yaml
@@ -53,6 +53,8 @@ securityContext:
   readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: 1001
+  seccompProfile:
+    type: RuntimeDefault
 
 serviceAccount:
   create: true
diff --git a/charts/generic-govuk-app/templates/assets-upload-job.yaml b/charts/generic-govuk-app/templates/assets-upload-job.yaml
index 592898239c9..639b0940cc0 100644
--- a/charts/generic-govuk-app/templates/assets-upload-job.yaml
+++ b/charts/generic-govuk-app/templates/assets-upload-job.yaml
@@ -45,10 +45,13 @@ spec:
             - name: assets-to-upload
               mountPath: /assets-to-upload
           securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default "false" }}
+            runAsNonRoot: {{ .Values.securityContext.runAsNonRoot | default "true" }}
+            readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem | default "true" }}
+            seccompProfile:
+              type: RuntimeDefault
             capabilities:
-              drop: ["ALL"]
+              drop: {{ .Values.securityContext.capabilities.drop }}
       containers:
         - name: upload-assets
           image: 172025368201.dkr.ecr.eu-west-1.amazonaws.com/github/alphagov/govuk/toolbox:latest
diff --git a/charts/generic-govuk-app/templates/deployment.yaml b/charts/generic-govuk-app/templates/deployment.yaml
index 9391db39ab4..1043518ad3f 100644
--- a/charts/generic-govuk-app/templates/deployment.yaml
+++ b/charts/generic-govuk-app/templates/deployment.yaml
@@ -63,6 +63,15 @@ spec:
           volumeMounts:
             - name: assets
               mountPath: /assets
+          securityContext:
+            allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default "false" }}
+            runAsNonRoot: {{ .Values.securityContext.runAsNonRoot | default "true" }}
+            readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem | default "true" }}
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop: {{ .Values.securityContext.capabilities.drop }}
+
       {{- end }}
       containers:
         - name: app
@@ -127,9 +136,9 @@ spec:
           {{- end }}
           securityContext:
             allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation }}
-            readOnlyRootFilesystem: true
+            readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFileSystem }}
             capabilities:
-              drop: ["ALL"]
+              drop: {{ .Values.securityContext.capabilities.drop }}
           volumeMounts:
             - name: app-tmp
               mountPath: /tmp
diff --git a/charts/generic-govuk-app/values.yaml b/charts/generic-govuk-app/values.yaml
index 43326e49531..6108aa631d0 100644
--- a/charts/generic-govuk-app/values.yaml
+++ b/charts/generic-govuk-app/values.yaml
@@ -157,6 +157,9 @@ securityContext:
   allowPrivilegeEscalation: false
   runAsUser: 1001
   runAsGroup: 1001
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop: ["ALL"]
 
 sentry:
   enabled: true
diff --git a/charts/govuk-jobs/templates/govuk-mirror-sync-cronjob.yaml b/charts/govuk-jobs/templates/govuk-mirror-sync-cronjob.yaml
index f4edcbe6cdc..80bd1b4b126 100644
--- a/charts/govuk-jobs/templates/govuk-mirror-sync-cronjob.yaml
+++ b/charts/govuk-jobs/templates/govuk-mirror-sync-cronjob.yaml
@@ -50,8 +50,13 @@ spec:
                   cpu: 2
                   memory: 15000Mi
               securityContext:
-                allowPrivilegeEscalation: false
-                readOnlyRootFilesystem: true
+                allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default "false" }}
+                runAsNonRoot: {{ .Values.securityContext.runAsNonRoot | default "true" }}
+                readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem | default "true" }}
+                seccompProfile:
+                  type: RuntimeDefault
+                capabilities:
+                  drop: {{ .Values.securityContext.capabilities.drop }}
               volumeMounts:
                 - name: app-mirror-sync
                   mountPath: /data
diff --git a/charts/govuk-jobs/values.yaml b/charts/govuk-jobs/values.yaml
index d6213170c9c..ef5560141e0 100644
--- a/charts/govuk-jobs/values.yaml
+++ b/charts/govuk-jobs/values.yaml
@@ -11,7 +11,7 @@ podSecurityContext:
 securityContext:
   allowPrivilegeEscalation: false
   capabilities:
-    drop: [ALL]
+    drop: ["ALL"]
   readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: 1001