diff --git a/gradle.properties b/gradle.properties
index e8888610fd..06b04b5366 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -60,7 +60,7 @@ windowsProteomicsBinariesVersion=1.0
 artifactoryPluginVersion=5.2.5
 gradleNodePluginVersion=7.1.0
 gradlePluginsVersion=6.2.0
-owaspDependencyCheckPluginVersion=12.1.1
+owaspDependencyCheckPluginVersion=12.1.3
 versioningPluginVersion=1.1.2
 
 # Versions of node and npm to use during the build. If set, these versions
@@ -99,7 +99,7 @@ apacheDirectoryVersion=2.1.7
 apacheMinaVersion=2.2.4
 
 # Usually matches the version specified as a Spring Boot dependency (see springBootVersion below)
-apacheTomcatVersion=10.1.41
+apacheTomcatVersion=10.1.42
 
 # (mothership) -> json-path -> json-smart -> accessor-smart
 # (core) -> graalvm
@@ -287,7 +287,7 @@ slf4jLog4jApiVersion=2.0.16
 snappyJavaVersion=1.1.10.7
 
 # Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version
-springBootVersion=3.5.0
+springBootVersion=3.5.3
 # This usually matches the Spring Framework version dictated by springBootVersion
 springVersion=6.2.8
 
diff --git a/server/configs/application.properties b/server/configs/application.properties
index f5311aa879..c77e14283d 100644
--- a/server/configs/application.properties
+++ b/server/configs/application.properties
@@ -65,6 +65,14 @@ context.encryptionKey=@@encryptionKey@@
 #context.bypass2FA=true
 #context.workDirLocation=/path/to/desired/workDir
 
+## Tomcat v10.1.42 lowered the default for part count from 1000 to 10. Our default is now 500.
+## Tomcat also lowered the header size default from 10Kb to 512, which is also our default.
+## We lower max connections from default 8192 to 250, providing ample concurrent requests for LabKey Server scenarios.
+## These settings can be overridden if needed, but reasonable limits reduce your server's vulnerability to DoS attacks.
+server.tomcat.max-part-count=500
+server.tomcat.max-part-header-size=512
+server.tomcat.max-connections=250
+
 ## SMTP configuration
 mail.smtpHost=@@smtpHost@@
 mail.smtpPort=@@smtpPort@@
diff --git a/server/configs/webapps/embedded/config/application.properties b/server/configs/webapps/embedded/config/application.properties
index 07a93674a8..5a171dc332 100644
--- a/server/configs/webapps/embedded/config/application.properties
+++ b/server/configs/webapps/embedded/config/application.properties
@@ -103,6 +103,14 @@ mail.smtpUser=Anonymous
 #context.bypass2FA=true
 #context.workDirLocation=@@/path/to/desired/workDir@@
 
+## Tomcat v10.1.42 lowered the default for part count from 1000 to 10. Our default is now 500.
+## Tomcat also lowered the header size default from 10Kb to 512, which is also our default.
+## We lower max connections from default 8192 to 250, providing ample concurrent requests for LabKey Server scenarios.
+## These settings can be overridden if needed, but reasonable limits reduce your server's vulnerability to DoS attacks.
+server.tomcat.max-part-count=500
+server.tomcat.max-part-header-size=512
+server.tomcat.max-connections=250
+
 ## Other webapps to be deployed, most commonly to deliver a set of static files. The context path to deploy into is the
 ## property name after the "context.additionalWebapps." prefix, and the value is the location of the webapp on disk
 #context.additionalWebapps.firstContextPath=@@/my/webapp/path@@