diff --git a/gradle.properties b/gradle.properties
index c672d7492a..f9d0deb62c 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -44,7 +44,7 @@ buildFromSource=true
 
 # The default version for LabKey artifacts that are built or that we depend on.
 # override in an individual module's gradle.properties file as necessary 
-labkeyVersion=25.3.13
+labkeyVersion=25.3.14
 labkeyClientApiVersion=6.2.0
 
 # Version numbers for the various binary artifacts that are included when
@@ -60,7 +60,7 @@ windowsProteomicsBinariesVersion=1.0
 artifactoryPluginVersion=5.2.5
 gradleNodePluginVersion=7.1.0
 gradlePluginsVersion=6.1.0
-owaspDependencyCheckPluginVersion=12.1.0
+owaspDependencyCheckPluginVersion=12.1.3
 versioningPluginVersion=1.1.2
 
 # Versions of node and npm to use during the build. If set, these versions
@@ -99,7 +99,7 @@ apacheDirectoryVersion=2.1.7
 apacheMinaVersion=2.2.4
 
 # Usually matches the version specified as a Spring Boot dependency (see springBootVersion below)
-apacheTomcatVersion=10.1.41
+apacheTomcatVersion=10.1.42
 
 # (mothership) -> json-path -> json-smart -> accessor-smart
 # (core) -> graalvm
@@ -290,7 +290,7 @@ slf4jLog4jApiVersion=2.0.16
 snappyJavaVersion=1.1.10.7
 
 # Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version
-springBootVersion=3.4.5
+springBootVersion=3.5.3
 # This usually matches the Spring Framework version dictated by springBootVersion
 springVersion=6.2.8
 
diff --git a/server/configs/application.properties b/server/configs/application.properties
index 8f85e56fca..d3a6a574b1 100644
--- a/server/configs/application.properties
+++ b/server/configs/application.properties
@@ -46,6 +46,7 @@ context.encryptionKey=@@encryptionKey@@
 
 ## By default, we serve LabKey at the root context path (e.g. http://localhost:8080)
 ## You may customize the context path if you wish (e.g. http://localhost:8080/labkey)
+## Context path value must start with a slash
 #context.contextPath=/labkey
 
 ## Using a legacy context path provides backwards compatibility with old deployments. A typical use case would be to
@@ -65,6 +66,14 @@ context.encryptionKey=@@encryptionKey@@
 #context.bypass2FA=true
 #context.workDirLocation=/path/to/desired/workDir
 
+## Tomcat v10.1.42 lowered the default for part count from 1000 to 10. Our default is now 500.
+## Tomcat also lowered the header size default from 10Kb to 512, which is also our default.
+## We lower max connections from default 8192 to 250, providing ample concurrent requests for LabKey Server scenarios.
+## These settings can be overridden if needed, but reasonable limits reduce your server's vulnerability to DoS attacks.
+server.tomcat.max-part-count=500
+server.tomcat.max-part-header-size=512
+server.tomcat.max-connections=250
+
 ## SMTP configuration
 mail.smtpHost=@@smtpHost@@
 mail.smtpPort=@@smtpPort@@
diff --git a/server/configs/webapps/embedded/config/application.properties b/server/configs/webapps/embedded/config/application.properties
index 62d1459fa3..e0e654f3bc 100644
--- a/server/configs/webapps/embedded/config/application.properties
+++ b/server/configs/webapps/embedded/config/application.properties
@@ -103,6 +103,14 @@ mail.smtpUser=Anonymous
 #context.bypass2FA=true
 #context.workDirLocation=@@/path/to/desired/workDir@@
 
+## Tomcat v10.1.42 lowered the default for part count from 1000 to 10. Our default is now 500.
+## Tomcat also lowered the header size default from 10Kb to 512, which is also our default.
+## We lower max connections from default 8192 to 250, providing ample concurrent requests for LabKey Server scenarios.
+## These settings can be overridden if needed, but reasonable limits reduce your server's vulnerability to DoS attacks.
+server.tomcat.max-part-count=500
+server.tomcat.max-part-header-size=512
+server.tomcat.max-connections=250
+
 ## Other webapps to be deployed, most commonly to deliver a set of static files. The context path to deploy into is the
 ## property name after the "context.additionalWebapps." prefix, and the value is the location of the webapp on disk
 #context.additionalWebapps.firstContextPath=@@/my/webapp/path@@
diff --git a/server/embedded/src/org/labkey/embedded/LabKeyServer.java b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
index 54057d5750..3c2fafe658 100644
--- a/server/embedded/src/org/labkey/embedded/LabKeyServer.java
+++ b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
@@ -93,7 +93,7 @@ public static void main(String[] args)
                         base-uri 'self' ;
                         frame-ancestors 'self' ;
                         frame-src 'self' ${FRAME.SOURCES} ;
-                        report-uri /admin-contentSecurityPolicyReport.api?cspVersion=r11&${CSP.REPORT.PARAMS}
+                        report-uri ${context.contextPath:}/admin-contentSecurityPolicyReport.api?cspVersion=r11&${CSP.REPORT.PARAMS}
                     """
         ));
         application.setBannerMode(Banner.Mode.OFF);