diff --git a/app/Controllers/InfoController.js b/app/Controllers/InfoController.js
index f9d9f052..1f535eb2 100644
--- a/app/Controllers/InfoController.js
+++ b/app/Controllers/InfoController.js
@@ -10,6 +10,7 @@ const sendInfo = catchAsync(async (_req, res) => {
     version: getVersion(),
     locked: config.service.invite_code,
     commitRef: gitDescribe === undefined ? (gitDescribe = await getGitDescribe()) : gitDescribe,
+    max_file_upload: config.server.max_file_upload,
     email_confirm: {
       enabled: config.service.email_confirm,
       level: config.service.email_confirm_level,
diff --git a/app/config/config/schema.js b/app/config/config/schema.js
index 5c7e404a..956c912d 100644
--- a/app/config/config/schema.js
+++ b/app/config/config/schema.js
@@ -55,6 +55,7 @@ const configSchema = Joi.object({
       .forbidden()
       .messages({ 'any.unknown': 'The `sever.registration_locked` option is moved to `service.invite_code`' }),
     cors: Joi.alternatives().try(Joi.boolean(), Joi.keyArray()).default(false),
+    max_file_upload: Joi.string().default('1mb'),
   }).required(),
 
   database: Joi.object({
diff --git a/docs/api/swagger.json b/docs/api/swagger.json
index a1d48e97..c2dd2fbb 100644
--- a/docs/api/swagger.json
+++ b/docs/api/swagger.json
@@ -1082,6 +1082,9 @@
           "commitRef": {
             "type": "string"
           },
+          "max_file_upload": {
+            "type": "string"
+          },
           "email_confirm": {
             "type": "object",
             "properties": {
diff --git a/package.json b/package.json
index 1331069b..cfe48917 100644
--- a/package.json
+++ b/package.json
@@ -34,6 +34,7 @@
   },
   "dependencies": {
     "bcrypt": "^5.0.0",
+    "body-parser": "^1.20.1",
     "chalk": "^4.1.0",
     "cli-highlight": "^2.1.11",
     "commander": "^8.3.0",
diff --git a/server.js b/server.js
index be38d658..8f5bc87c 100644
--- a/server.js
+++ b/server.js
@@ -1,6 +1,7 @@
 const http = require('http');
 const path = require('path');
 const express = require('express');
+const bodyParser = require('body-parser');
 const chalk = require('chalk');
 const httpStatus = require('http-status');
 const eta = require('eta');
@@ -46,6 +47,10 @@ const createServer = async (extraConfig) => {
     next();
   });
 
+  // set body parser limit
+  server.app.use(bodyParser.json({ limit: config.server.max_file_upload }));
+  server.app.use(bodyParser.urlencoded({ extended: true, limit: config.server.max_file_upload }));
+
   // logging middleware
   server.app.use(LoggingMiddleware);
 
diff --git a/vocascan.config.example.js b/vocascan.config.example.js
index 5e10ea34..be258454 100644
--- a/vocascan.config.example.js
+++ b/vocascan.config.example.js
@@ -12,6 +12,7 @@ module.exports = {
     jwt_secret: '',
     salt_rounds: 10,
     cors: ['https://web.example1.com', 'https://web.example2.com'],
+    max_file_upload: '10mb',
   },
 
   database: {