diff --git a/config/application.rb b/config/application.rb
index 6144a8695a1..2673255cdc7 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -8,8 +8,8 @@
 
 module Otwarchive
   class Application < Rails::Application
-    app_config = YAML.load_file(Rails.root.join("config/config.yml"))
-    app_config.merge!(YAML.load_file(Rails.root.join("config/local.yml"))) if File.exist?(Rails.root.join("config/local.yml"))
+    app_config = YAML.safe_load_file(Rails.root.join("config/config.yml"))
+    app_config.merge!(YAML.safe_load_file(Rails.root.join("config/local.yml"))) if File.exist?(Rails.root.join("config/local.yml"))
     ::ArchiveConfig = OpenStruct.new(app_config)
 
     # Please, add to the `ignore` list any other `lib` subdirectories that do
diff --git a/config/deploy.rb b/config/deploy.rb
index f164ec9747a..28171a88e7f 100644
--- a/config/deploy.rb
+++ b/config/deploy.rb
@@ -61,7 +61,7 @@
 set :repository, "https://github.com/otwcode/otwarchive.git"
 set :deploy_via, :remote_cache
 
-set :servers, -> { YAML.load_file(File.join(__dir__, "servers.yml")).deep_symbolize_keys[fetch(:stage)] }
+set :servers, -> { YAML.safe_load_file(File.join(__dir__, "servers.yml")).deep_symbolize_keys[fetch(:stage)] }
 
 # overwrite default capistrano deploy tasks
 namespace :deploy do
diff --git a/config/initializers/gem-plugin_config/redis.rb b/config/initializers/gem-plugin_config/redis.rb
index a373aa00d27..be47e0e7920 100644
--- a/config/initializers/gem-plugin_config/redis.rb
+++ b/config/initializers/gem-plugin_config/redis.rb
@@ -7,7 +7,7 @@
 # https://gist.github.com/441072
 start_redis!(rails_root, :cucumber) if rails_env == :test && !(ENV["CI"] || ENV["DOCKER"])
 
-redis_configs = YAML.load_file("#{rails_root}/config/redis.yml", symbolize_names: true)
+redis_configs = YAML.safe_load_file("#{rails_root}/config/redis.yml", symbolize_names: true)
 redis_configs.each_pair do |name, redis_config|
   redis_options = {}
   if redis_config[rails_env].is_a?(Hash)
diff --git a/config/initializers/gem-plugin_config/resque.rb b/config/initializers/gem-plugin_config/resque.rb
index 65062890629..1638789d2c9 100644
--- a/config/initializers/gem-plugin_config/resque.rb
+++ b/config/initializers/gem-plugin_config/resque.rb
@@ -3,7 +3,7 @@
 rails_root = ENV["RAILS_ROOT"] || "#{File.dirname(__FILE__)}/../../.."
 rails_env = (ENV["RAILS_ENV"] || "development").to_sym
 
-redis_configs = YAML.load_file("#{rails_root}/config/redis.yml", symbolize_names: true)
+redis_configs = YAML.safe_load_file("#{rails_root}/config/redis.yml", symbolize_names: true)
 Resque.redis = redis_configs[:redis_resque][rails_env]
 
 # in-process performing of jobs (for testing) doesn't require a redis server
diff --git a/lib/tasks/resque.rake b/lib/tasks/resque.rake
index 2995ebefc30..e0206eb1120 100644
--- a/lib/tasks/resque.rake
+++ b/lib/tasks/resque.rake
@@ -20,7 +20,7 @@ namespace :resque do
 
     # The schedule doesn't need to be stored in a YAML, it just needs to
     # be a hash.  YAML is usually the easiest.
-    Resque.schedule = YAML.load_file("#{Rails.root}/config/resque_schedule.yml")
+    Resque.schedule = YAML.safe_load_file(Rails.root.join("config/resque_schedule.yml"))
 
     # If your schedule already has +queue+ set for each job, you don't
     # need to require your jobs.  This can be an advantage since it's