diff --git a/cloudbuild.yaml b/cloudbuild.yaml
index 1975992a..3130425b 100644
--- a/cloudbuild.yaml
+++ b/cloudbuild.yaml
@@ -15,34 +15,6 @@ steps:
       ["push", "europe-west1-docker.pkg.dev/$PROJECT_ID/sghi/mle:$COMMIT_SHA"]
 
   # Deploy an image from Container Registry to Cloud Run
-  # TODO POSTGRES_HOST
-  # TODO POSTGRES_PORT
-  # TODO POSTGRES_DB
-  # TODO POSTGRES_USER
-  # TODO POSTGRES_PASSWORD
-  # TODO DATABASE_URL
-  # TODO DJANGO_SECRET_KEY
-  # TODO DJANGO_ADMIN_URL
-  # TODO DJANGO_ALLOWED_HOSTS
-  # TODO DJANGO_SECURE_BROWSER_XSS_FILTER
-  # TODO DJANGO_SECURE_SSL_REDIRECT
-  # TODO DJANGO_SECURE_CONTENT_TYPE_NOSNIFF
-  # TODO DJANGO_SECURE_FRAME_DENY
-  # TODO DJANGO_SECURE_HSTS_INCLUDE_SUBDOMAINS
-  # TODO DJANGO_SESSION_COOKIE_HTTPONLY
-  # TODO DJANGO_SESSION_COOKIE_SECURE
-  # TODO DJANGO_SERVER_EMAIL
-  # TODO DJANGO_DEFAULT_FROM_EMAIL
-  # TODO DJANGO_EMAIL_SUBJECT_PREFIX
-  # TODO DJANGO_SENTRY_LOG_LEVEL
-  # TODO SENTRY_TRACES_SAMPLE_RATE
-  # TODO MAILGUN_API_KEY
-  # TODO MAILGUN_DOMAIN
-  # TODO MAILGUN_API_URL
-  # TODO DJANGO_GCP_STORAGE_BUCKET_NAME
-  # TODO DJANGO_ACCOUNT_ALLOW_REGISTRATION
-  # TODO SENTRY_DSN=https://a05704bb311943c1b1d737b60b64c09c@errors.bewell.co.ke/6
-
   - name: 'gcr.io/cloud-builders/gcloud'
     args: [
       'run',
@@ -52,7 +24,8 @@ steps:
       '--region', 'europe-west1',
       '--platform', 'managed',
       '--allow-unauthenticated',
-      '--update-env-vars', 'SENTRY_ENVIRONMENT=prod,COMPRESS_ENABLED=true,DJANGO_DEBUG=false,USE_DOCKER=yes,DJANGO_READ_DOT_ENV_FILE=False,DJANGO_SETTINGS_MODULE=config.settings.production,DJANGO_SECURE_SSL_REDIRECT=False,WEB_CONCURRENCY=4'
+      '--add-cloudsql-instances ', '${_CLOUDSQL_INSTANCE_CONNECTION_NAME}',
+      '--update-env-vars', 'SENTRY_ENVIRONMENT=prod,COMPRESS_ENABLED=true,DJANGO_DEBUG=false,USE_DOCKER=yes,DJANGO_READ_DOT_ENV_FILE=False,DJANGO_SETTINGS_MODULE=config.settings.production,DJANGO_SECURE_SSL_REDIRECT=False,WEB_CONCURRENCY=4,DJANGO_EMAIL_SUBJECT_PREFIX=[mle],DJANGO_SESSION_COOKIE_SECURE=True,DJANGO_SESSION_COOKIE_HTTPONLY=True,DJANGO_SECURE_HSTS_INCLUDE_SUBDOMAINS=True,DJANGO_SECURE_SSL_REDIRECT=True,DJANGO_SECURE_BROWSER_XSS_FILTER=True,DJANGO_SECURE_CONTENT_TYPE_NOSNIFF=True,DJANGO_SECURE_FRAME_DENY=True,DJANGO_ACCOUNT_ALLOW_REGISTRATION=${_DJANGO_ACCOUNT_ALLOW_REGISTRATION},DJANGO_GCP_STORAGE_BUCKET_NAME=${_DJANGO_GCP_STORAGE_BUCKET_NAME},SENTRY_DSN=${_SENTRY_DSN},DJANGO_SECRET_KEY=${_DJANGO_SECRET_KEY},DJANGO_ADMIN_URL=${_DJANGO_ADMIN_URL},DJANGO_ALLOWED_HOSTS=${_DJANGO_ALLOWED_HOSTS},MAILGUN_API_KEY=${_MAILGUN_API_KEY},MAILGUN_DOMAIN=${_MAILGUN_DOMAIN},MAILGUN_API_URL=${_MAILGUN_API_URL},DJANGO_SERVER_EMAIL=${_DJANGO_SERVER_EMAIL},DJANGO_DEFAULT_FROM_EMAIL=${_DJANGO_DEFAULT_FROM_EMAIL},INSTANCE_CONNECTION_NAME=${_CLOUDSQL_INSTANCE_CONNECTION_NAME}:${COMMIT_SHA},POSTGRES_HOST=${_POSTGRES_HOST},POSTGRES_PORT=${_POSTGRES_PORT},POSTGRES_DB=${POSTGRES_DB},POSTGRES_USER=${POSTGRES_USER},POSTGRES_PASSWORD=${POSTGRES_PASSWORD}'
   ]
 
 images:
diff --git a/config/settings/production.py b/config/settings/production.py
index 92acee37..c6d29842 100644
--- a/config/settings/production.py
+++ b/config/settings/production.py
@@ -41,8 +41,7 @@
 CSRF_COOKIE_SECURE = True
 # https://docs.djangoproject.com/en/dev/topics/security/#ssl-https
 # https://docs.djangoproject.com/en/dev/ref/settings/#secure-hsts-seconds
-# TODO: set this to 60 seconds first and then to 518400 once you prove the former works
-SECURE_HSTS_SECONDS = 60
+SECURE_HSTS_SECONDS = 518400
 # https://docs.djangoproject.com/en/dev/ref/settings/#secure-hsts-include-subdomains
 SECURE_HSTS_INCLUDE_SUBDOMAINS = env.bool("DJANGO_SECURE_HSTS_INCLUDE_SUBDOMAINS", default=True)
 # https://docs.djangoproject.com/en/dev/ref/settings/#secure-hsts-preload
diff --git a/pepfar_mle/users/tests/test_views.py b/pepfar_mle/users/tests/test_views.py
index ee98037d..4fe1df71 100644
--- a/pepfar_mle/users/tests/test_views.py
+++ b/pepfar_mle/users/tests/test_views.py
@@ -17,14 +17,6 @@
 
 
 class TestUserUpdateView:
-    """
-    TODO:
-        extracting view initialization code as class-scoped fixture
-        would be great if only pytest-django supported non-function-scoped
-        fixture db access -- this is a work-in-progress for now:
-        https://github.com/pytest-dev/pytest-django/pull/258
-    """
-
     def dummy_get_response(self, request: HttpRequest):
         return None