diff --git a/config/config.go b/config/config.go
index 73c6877..f4a6310 100644
--- a/config/config.go
+++ b/config/config.go
@@ -16,6 +16,7 @@ type Config struct {
 	FileRoot     string
 	Auth         bool
 	AuthLifetime time.Duration
+	MaxFileSize  int64
 }
 
 func New() Config {
@@ -35,6 +36,7 @@ func New() Config {
 	as.Append(args.STRING, "drivertype", "database driver to use", "boltdb")
 	as.Append(args.BOOL, "auth", "check for authorized access", false)
 	as.Append(args.DURATION, "authlifetime", "duration auth is valid for", time.Hour)
+	as.Append(args.INT, "max-file-size", "max file size for uploads in bytes", 50*(1<<20))
 
 	if err := as.Parse(); err != nil {
 		panic(err)
@@ -49,5 +51,6 @@ func New() Config {
 		DriverType:   as.GetString("drivertype"),
 		Auth:         as.GetBool("auth"),
 		AuthLifetime: as.GetDuration("authlifetime"),
+		MaxFileSize:  int64(as.GetInt("max-file-size")),
 	}
 }
diff --git a/view/files.go b/view/files.go
index 94476c2..e1af43e 100644
--- a/view/files.go
+++ b/view/files.go
@@ -77,8 +77,7 @@ func filesPostFromDirectLink(w http.ResponseWriter, r *http.Request) error {
 		return err
 	}
 	defer f.Close()
-	// TODO max bytes reader
-	_, err = io.Copy(f, resp.Body)
+	_, err = io.Copy(f, io.LimitReader(resp.Body, config.New().MaxFileSize))
 	return err
 }
 
@@ -97,14 +96,15 @@ func filesPostFromUpload(w http.ResponseWriter, r *http.Request) error {
 		return err
 	}
 	defer f.Close()
-	megabyte := 100 << 20
-	r.ParseMultipartForm(int64(megabyte))
+	megabyte := 1 << 20
+	chunkSize := 10 * megabyte
+	r.ParseMultipartForm(int64(chunkSize))
 	file, _, err := r.FormFile("file")
 	if err != nil {
 		return err
 	}
 	defer file.Close()
-	if _, err := io.Copy(f, file); err != nil {
+	if _, err := io.Copy(f, io.LimitReader(file, config.New().MaxFileSize)); err != nil {
 		return err
 	}
 	return json.NewEncoder(w).Encode(map[string]interface{}{"status": "ok"})