diff --git a/config/application.rb b/config/application.rb
index bc261bdbe2..e4e2c3d4e3 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -28,6 +28,8 @@ module TeachingVacancies
   class Application < Rails::Application
     config.load_defaults 7.0
 
+    config.add_autoload_paths_to_load_path = false
+
     config.time_zone = "Europe/London"
 
     # Automatically add `id: uuid` on any generated migrations
@@ -38,6 +40,17 @@ class Application < Rails::Application
     config.action_view.sanitized_allowed_tags = %w[p br strong em ul li h1 h2 h3 h4 h5]
     config.action_view.default_form_builder = GOVUKDesignSystemFormBuilder::FormBuilder
 
+    # Given we are using Lockbox, this ensures that Rails does not include unnecessary support for SHA-1,
+    # which is deprecated and considered insecure.
+    config.active_record.encryption.support_sha1_for_non_deterministic_encryption = false
+
+    # Disable deprecated singular associations names.
+    config.active_record.allow_deprecated_singular_associations_name = false
+
+    # No longer run after_commit callbacks on the first of multiple Active Record
+    # instances to save changes to the same database row within a transaction.
+    config.active_record.run_commit_callbacks_on_first_saved_instances_in_transaction = false
+
     # Settings in config/environments/* take precedence over those
     # specified here.
     # Application configuration should go into files in config/initializers
@@ -58,6 +71,23 @@ class Application < Rails::Application
     config.active_storage.routes_prefix = "/attachments"
     config.active_storage.resolve_model_to_route = :rails_storage_proxy
 
+    # Specify the default serializer used by `MessageEncryptor` and `MessageVerifier`
+    # instances.
+    #
+    # The legacy default is `:marshal`, which is a potential vector for
+    # deserialization attacks in cases where a message signing secret has been
+    # leaked.
+    #
+    # In Rails 7.1, the new default is `:json_allow_marshal` which serializes and
+    # deserializes with `ActiveSupport::JSON`, but can fall back to deserializing
+    # with `Marshal` so that legacy messages can still be read.
+    #
+    # In Rails 7.2, the default will become `:json` which serializes and
+    # deserializes with `ActiveSupport::JSON` only.
+    config.active_support.message_serializer = :json_allow_marshal
+
+    config.active_support.use_message_serializer_for_metadata = true
+    
     config.log_level = ENV.fetch("RAILS_LOG_LEVEL", "info").to_sym
 
     # Set up backing services through VCAP_SERVICES if running on AKS
@@ -110,6 +140,9 @@ class Application < Rails::Application
     # we figure out a way around that, this keeps the pre-Rails 7 default around.
     Rails.application.config.action_controller.raise_on_open_redirects = false
 
+    # Do not treat an `ActionController::Parameters` instance as equal to an equivalent `Hash` by default.
+    Rails.application.config.action_controller.allow_deprecated_parameters_hash_equality = false
+
     Rails.autoloaders.main.ignore(Rails.root.join("app/frontend"))
 
     config.after_initialize do |app|
diff --git a/config/environments/development.rb b/config/environments/development.rb
index c3a4e925d1..7b69fd9cea 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -62,6 +62,10 @@
   # Tell Active Support which deprecation messages to disallow.
   config.active_support.disallowed_deprecation_warnings = []
 
+  # Specify if an `ArgumentError` should be raised if `Rails.cache` `fetch` or
+  # `write` are given an invalid `expires_at` or `expires_in` time.
+  config.active_support.raise_on_invalid_cache_expiration_time = true
+
   # Raise an error on page load if there are pending migrations.
   config.active_record.migration_error = false
 
diff --git a/config/environments/test.rb b/config/environments/test.rb
index 6c0741089f..622877f8bc 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -54,6 +54,10 @@
   # Raise exceptions for disallowed deprecations.
   config.active_support.disallowed_deprecation = :raise
 
+  # Specify if an `ArgumentError` should be raised if `Rails.cache` `fetch` or
+  # `write` are given an invalid `expires_at` or `expires_in` time.
+  config.active_support.raise_on_invalid_cache_expiration_time = true
+
   # Tell Active Support which deprecation messages to disallow.
   config.active_support.disallowed_deprecation_warnings = []
 
diff --git a/config/initializers/assets.rb b/config/initializers/assets.rb
new file mode 100644
index 0000000000..487324424f
--- /dev/null
+++ b/config/initializers/assets.rb
@@ -0,0 +1,7 @@
+# Be sure to restart your server when you modify this file.
+
+# Version of your assets, change this if you want to expire all your assets.
+Rails.application.config.assets.version = "1.0"
+
+# Add additional assets to the asset load path.
+# Rails.application.config.assets.paths << Emoji.images_path