diff --git a/config/application.rb b/config/application.rb
index c17b366a0e1..63266f79301 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -118,6 +118,16 @@ class Application < Rails::Application
     # https://github.com/rails/rails/blob/d437ae311f1b9dc40b442e40eb602e020cec4e49/railties/lib/rails/application/configuration.rb#L92
     config.load_defaults 7.0
 
+    # TODO: this is the only change we had from defaults in 7.0.  See secure_headers.rb.  It's 0 in defaults.
+    config.action_dispatch.default_headers["X-XSS-Protection"] = "1; mode=block"
+
+    # TODO: Find and fixed any deprecated behavior.  Opt in later.
+    config.active_support.remove_deprecated_time_with_zone_name = false
+    config.active_support.disable_to_s_conversion = false
+
+    # TODO: If disabled, causes cross repo test failures in content, ui-classic and amazon provider
+    config.active_record.partial_inserts = true
+
     # Disable this setting as it causes MiqRegion.seed to fail validation on belongs_to maintenance zone.
     # TODO: We should fix this so we don't need to carry this override.
     config.active_record.belongs_to_required_by_default = false
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
index bfa401e9844..b32bd7e9c28 100644
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@@ -10,6 +10,10 @@
     config.x_content_type_options = "nosniff"
     # X-XSS-Protection
     # X-Permitted-Cross-Domain-Policies
+
+    #FYI, this was deprecated and disabled in rails 7.  Using content security policy is the desired behavior going forward:
+    # https://github.com/rails/rails/commit/1f4714c3f798df227222f531141880b8e1b4170a
+    # https://github.com/rails/rails/blob/d437ae311f1b9dc40b442e40eb602e020cec4e49/railties/lib/rails/application/configuration.rb#L227
     config.x_xss_protection = "1; mode=block"
     config.referrer_policy = "no-referrer-when-downgrade"
     # Content-Security-Policy