diff --git a/helm/taskchampion-sync-server/Chart.yaml b/helm/taskchampion-sync-server/Chart.yaml
index a7ac268..a7813e6 100644
--- a/helm/taskchampion-sync-server/Chart.yaml
+++ b/helm/taskchampion-sync-server/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: taskchampion-sync-server
 description: A Helm chart for deploying TaskChampion Sync Server on Kubernetes
 type: application
-version: 0.1.2
+version: 0.1.3
 appVersion: "0.7.0"
 keywords:
   - taskchampion
diff --git a/helm/taskchampion-sync-server/templates/deployment.yaml b/helm/taskchampion-sync-server/templates/deployment.yaml
index 2ee7409..54ffb0e 100644
--- a/helm/taskchampion-sync-server/templates/deployment.yaml
+++ b/helm/taskchampion-sync-server/templates/deployment.yaml
@@ -32,6 +32,8 @@ spec:
           imagePullPolicy: {{ .Values.postgres.initContainer.imagePullPolicy }}
           securityContext:
             allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 1000
           env:
             - name: PGURI
               valueFrom:
@@ -90,6 +92,16 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           securityContext:
             allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 1092
+            readOnlyRootFilesystem: true
+          {{- if eq .Values.postgres.enabled true }}
+          command:
+            - /bin/taskchampion-sync-server-postgres
+          {{- else }}
+          command:
+            - /bin/taskchampion-sync-server
+          {{- end }}
           env:
             {{- range $name, $value := .Values.env }}
             - name: {{ $name }}
@@ -117,6 +129,18 @@ spec:
             - name: http
               containerPort: {{ .Values.service.targetPort }}
               protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
           {{- with .Values.resources }}
           resources:
             {{- toYaml . | nindent 12 }}
diff --git a/helm/taskchampion-sync-server/templates/serviceaccount.yaml b/helm/taskchampion-sync-server/templates/serviceaccount.yaml
index d4742a8..4bb353f 100644
--- a/helm/taskchampion-sync-server/templates/serviceaccount.yaml
+++ b/helm/taskchampion-sync-server/templates/serviceaccount.yaml
@@ -9,6 +9,7 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+automountServiceAccountToken: false
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -35,4 +36,4 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "taskchampion-sync-server.fullname" . }}
   namespace: {{ .Release.Namespace }}
-{{- end -}}
\ No newline at end of file
+{{- end -}}
diff --git a/helm/taskchampion-sync-server/values.yaml b/helm/taskchampion-sync-server/values.yaml
index 1c07ab3..1c17a12 100644
--- a/helm/taskchampion-sync-server/values.yaml
+++ b/helm/taskchampion-sync-server/values.yaml
@@ -72,13 +72,13 @@ httpRoute:
   port: 8080
 
 # Resource limits and requests
-resources: {}
-  # limits:
-  #   memory: 128Mi
-  #   cpu: 100m
-  # requests:
-  #   memory: 64Mi
-  #   cpu: 50m
+resources:
+  limits:
+    memory: 25Mi
+    cpu: 100m
+  requests:
+    memory: 5Mi
+    cpu: 10m
 
 # Replica configuration (only applies when postgres is enabled)
 replicas: