diff --git a/modules/kubernetes/ingress_factory/main.tf b/modules/kubernetes/ingress_factory/main.tf
index 9a86a429..b25eb465 100644
--- a/modules/kubernetes/ingress_factory/main.tf
+++ b/modules/kubernetes/ingress_factory/main.tf
@@ -123,6 +123,7 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
         var.rybbit_site_id != null ? "traefik-strip-accept-encoding@kubernetescrd" : null,
         var.rybbit_site_id != null ? "${var.namespace}-rybbit-analytics-${var.name}@kubernetescrd" : null,
         var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
+        "${var.namespace}-body-size-${var.name}@kubernetescrd",
       ], var.extra_middlewares)))
       "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
     }, var.extra_annotations)
@@ -203,3 +204,20 @@ resource "kubernetes_manifest" "custom_csp" {
     }
   }
 }
+
+# Max request body size middleware - enforces var.max_body_size per ingress
+resource "kubernetes_manifest" "body_size" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "body-size-${var.name}"
+      namespace = var.namespace
+    }
+    spec = {
+      buffering = {
+        maxRequestBodyBytes = parseint(replace(var.max_body_size, "m", ""), 10) * 1024 * 1024
+      }
+    }
+  }
+}