diff --git a/.cruft.json b/.cruft.json
index 620bb81..df3fe28 100644
--- a/.cruft.json
+++ b/.cruft.json
@@ -1,6 +1,6 @@
 {
   "template": "https://github.com/Azure-Samples/Azure-Python-Standardization-Template-Generator",
-  "commit": "397605f4143cc348247197e9b1c30729a94b828f",
+  "commit": "f9a5fdc99895df6e7f4844a19cb000ec8eb23bca",
   "checkout": null,
   "context": {
     "cookiecutter": {
diff --git a/infra/core/database/cosmos/cosmos-account.bicep b/infra/core/database/cosmos/cosmos-account.bicep
index 741a862..e3be52c 100644
--- a/infra/core/database/cosmos/cosmos-account.bicep
+++ b/infra/core/database/cosmos/cosmos-account.bicep
@@ -29,6 +29,7 @@ resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2022-08-15' = {
     enableMultipleWriteLocations: false
     apiProperties: (kind == 'MongoDB') ? { serverVersion: '4.2' } : {}
     capabilities: [ { name: 'EnableServerless' } ]
+    disableKeyBasedMetadataWriteAccess: true // See PsRule AZR-000095
   }
 }
 
diff --git a/infra/core/host/appservice.bicep b/infra/core/host/appservice.bicep
index bef4d2b..85aac63 100644
--- a/infra/core/host/appservice.bicep
+++ b/infra/core/host/appservice.bicep
@@ -17,6 +17,8 @@ param runtimeName string
 param runtimeNameAndVersion string = '${runtimeName}|${runtimeVersion}'
 param runtimeVersion string
 
+param enableDiagnosticLogging bool = true
+
 // Microsoft.Web/sites Properties
 param kind string = 'app,linux'
 
@@ -58,6 +60,10 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = {
       cors: {
         allowedOrigins: union([ 'https://portal.azure.com', 'https://ms.portal.azure.com' ], allowedOrigins)
       }
+      // Diagnostic logging
+      detailedErrorLoggingEnabled: enableDiagnosticLogging
+      httpLoggingEnabled: enableDiagnosticLogging
+      requestTracingEnabled: enableDiagnosticLogging
     }
     clientAffinityEnabled: clientAffinityEnabled
     httpsOnly: true