diff --git a/horizon/values.yaml b/horizon/values.yaml
index 9a1363af0e..45e6fb77f3 100644
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@@ -176,6 +176,8 @@ conf:
         session_cookie_secure: "False"
         session_cookie_httponly: "False"
         secure_proxy_ssl_header: false
+        password_autocomplete: "off"
+        disallow_iframe_embed: "False"
         openstack_cinder_features:
           enable_backup: "True"
         openstack_neutron_network:
@@ -245,10 +247,10 @@ conf:
 
         # If Horizon is being served through SSL, then uncomment the following two
         # settings to better secure the cookies from security exploits
-        CSRF_COOKIE_SECURE = '{{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}'
-        SESSION_COOKIE_SECURE = '{{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}'
+        CSRF_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}
+        SESSION_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}
 
-        SESSION_COOKIE_HTTPONLY = '{{ .Values.conf.horizon.local_settings.config.session_cookie_httponly }}'
+        SESSION_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.session_cookie_httponly }}
 
         # Overrides for OpenStack API versions. Use this setting to force the
         # OpenStack dashboard to use a specific API version for a given service API.
@@ -310,11 +312,11 @@ conf:
 
         # Turn off browser autocompletion for forms including the login form and
         # the database creation workflow if so desired.
-        #HORIZON_CONFIG["password_autocomplete"] = "off"
+        HORIZON_CONFIG["password_autocomplete"] = '{{ .Values.conf.horizon.local_settings.config.password_autocomplete }}'
 
         # Setting this to True will disable the reveal button for password fields,
         # including on the login form.
-        HORIZON_CONFIG["disable_password_reveal"] = '{{ .Values.conf.horizon.local_settings.config.disable_password_reveal }}'
+        HORIZON_CONFIG["disable_password_reveal"] = {{ .Values.conf.horizon.local_settings.config.disable_password_reveal }}
 
         LOCAL_PATH = '/tmp'
 
@@ -874,7 +876,7 @@ conf:
         # where iframes are not used in deployment. Default setting is True.
         # For more information see:
         # http://tinyurl.com/anticlickjack
-        # DISALLOW_IFRAME_EMBED = True
+        DISALLOW_IFRAME_EMBED = {{ .Values.conf.horizon.local_settings.config.disallow_iframe_embed }}
 
         STATIC_ROOT = '/var/www/html/horizon'
     policy: