diff --git a/cmd/csaf_provider/actions.go b/cmd/csaf_provider/actions.go
index 3ebcad0..951b187 100644
--- a/cmd/csaf_provider/actions.go
+++ b/cmd/csaf_provider/actions.go
@@ -37,7 +37,7 @@ func cleanFileName(s string) string {
 	return s
 }
 
-func loadCSAF(r *http.Request) (string, []byte, error) {
+func (c *controller) loadCSAF(r *http.Request) (string, []byte, error) {
 	file, handler, err := r.FormFile("csaf")
 	if err != nil {
 		return "", nil, err
@@ -45,8 +45,7 @@ func loadCSAF(r *http.Request) (string, []byte, error) {
 	defer file.Close()
 
 	var buf bytes.Buffer
-	lr := io.LimitReader(file, 10*1024*1024)
-	if _, err := io.Copy(&buf, lr); err != nil {
+	if _, err := io.Copy(&buf, c.cfg.uploadLimiter(file)); err != nil {
 		return "", nil, err
 	}
 	return cleanFileName(handler.Filename), buf.Bytes(), nil
@@ -138,7 +137,7 @@ func (c *controller) create(*http.Request) (interface{}, error) {
 
 func (c *controller) upload(r *http.Request) (interface{}, error) {
 
-	newCSAF, data, err := loadCSAF(r)
+	newCSAF, data, err := c.loadCSAF(r)
 	if err != nil {
 		return nil, err
 	}
diff --git a/cmd/csaf_provider/config.go b/cmd/csaf_provider/config.go
index 5b047c6..65e1dce 100644
--- a/cmd/csaf_provider/config.go
+++ b/cmd/csaf_provider/config.go
@@ -10,6 +10,7 @@ package main
 
 import (
 	"fmt"
+	"io"
 	"os"
 	"strings"
 
@@ -20,11 +21,12 @@ import (
 )
 
 const (
-	configEnv         = "CSAF_CONFIG"
-	defaultConfigPath = "/usr/lib/casf/config.toml"
-	defaultFolder     = "/var/www/"
-	defaultWeb        = "/var/www/html"
-	defaultOpenPGPURL = "https://openpgp.circl.lu/pks/lookup?op=get&search=${FINGERPRINT}"
+	configEnv          = "CSAF_CONFIG"
+	defaultConfigPath  = "/usr/lib/casf/config.toml"
+	defaultFolder      = "/var/www/"
+	defaultWeb         = "/var/www/html"
+	defaultOpenPGPURL  = "https://openpgp.circl.lu/pks/lookup?op=get&search=${FINGERPRINT}"
+	defaultUploadLimit = 50 * 1024 * 1024
 )
 
 type config struct {
@@ -41,6 +43,7 @@ type config struct {
 	NoWebUI                 bool            `toml:"no_web_ui"`
 	DynamicProviderMetaData bool            `toml:"dynamic_provider_metadata"`
 	Publisher               *csaf.Publisher `toml:"publisher"`
+	UploadLimit             *int64          `toml:"upload_limit"`
 }
 
 type tlp string
@@ -70,6 +73,14 @@ func (t *tlp) UnmarshalText(text []byte) error {
 	return fmt.Errorf("invalid config TLP value: %v", string(text))
 }
 
+func (cfg *config) uploadLimiter(r io.Reader) io.Reader {
+	// Zero or less means no upload limit.
+	if cfg.UploadLimit == nil || *cfg.UploadLimit < 1 {
+		return r
+	}
+	return io.LimitReader(r, *cfg.UploadLimit)
+}
+
 func (cfg *config) GetOpenPGPURL(key *crypto.Key) string {
 	if key == nil {
 		return cfg.OpenPGPURL
@@ -143,5 +154,10 @@ func loadConfig() (*config, error) {
 		}
 	}
 
+	if cfg.UploadLimit == nil {
+		ul := int64(defaultUploadLimit)
+		cfg.UploadLimit = &ul
+	}
+
 	return &cfg, nil
 }