diff --git a/src/auth/nip98.rs b/src/auth/nip98.rs
index 2450baa..f50829e 100644
--- a/src/auth/nip98.rs
+++ b/src/auth/nip98.rs
@@ -1,17 +1,18 @@
 use std::ops::Sub;
 use std::time::Duration;
 
-use base64::prelude::BASE64_STANDARD;
 use base64::Engine;
+use base64::prelude::BASE64_STANDARD;
 use log::info;
 use nostr::{Event, JsonUtil, Kind, Timestamp};
-use rocket::http::uri::{Absolute, Uri};
-use rocket::http::Status;
-use rocket::request::{FromRequest, Outcome};
 use rocket::{async_trait, Request};
+use rocket::http::Status;
+use rocket::http::uri::{Absolute, Uri};
+use rocket::request::{FromRequest, Outcome};
 
 pub struct Nip98Auth {
     pub content_type: Option<String>,
+    pub content_length: Option<usize>,
     pub event: Event,
 }
 
@@ -95,6 +96,13 @@ impl<'r> FromRequest<'r> for Nip98Auth {
                             None
                         }
                     }),
+                    content_length: request.headers().iter().find_map(|h| {
+                        if h.name == "content-length" {
+                            Some(h.value.parse().unwrap())
+                        } else {
+                            None
+                        }
+                    }),
                 })
             } else {
                 Outcome::Error((Status::new(403), "Auth scheme must be Nostr"))
diff --git a/src/routes/blossom.rs b/src/routes/blossom.rs
index 4a854ce..13d8b79 100644
--- a/src/routes/blossom.rs
+++ b/src/routes/blossom.rs
@@ -92,16 +92,19 @@ async fn upload(
         Tag::Name(s) => Some(s.clone()),
         _ => None,
     });
-    let size = auth.event.tags.iter().find_map(|t| {
+    let size = match auth.event.tags.iter().find_map(|t| {
         let values = t.as_vec();
         if values.len() == 2 && values[0] == "size" {
             Some(values[1].parse::<usize>().unwrap())
         } else {
             None
         }
-    });
-    if size.is_none() {
-        return BlossomResponse::error("Invalid request, no size tag");
+    }) {
+        Some(s) => s,
+        None => return BlossomResponse::error("Invalid request, no size tag")
+    };
+    if size > settings.max_upload_bytes {
+        return BlossomResponse::error("File too large");
     }
     let mime_type = auth
         .content_type
diff --git a/src/routes/nip96.rs b/src/routes/nip96.rs
index d6168d0..81a1078 100644
--- a/src/routes/nip96.rs
+++ b/src/routes/nip96.rs
@@ -1,9 +1,7 @@
-use std::borrow::Cow;
 use std::collections::HashMap;
 use std::fs;
 
 use chrono::Utc;
-use libc::remove;
 use log::error;
 use rocket::{FromForm, Responder, Route, routes, State};
 use rocket::form::Form;
@@ -156,6 +154,11 @@ async fn upload(
     settings: &State<Settings>,
     form: Form<Nip96Form<'_>>,
 ) -> Nip96Response {
+    if let Some(size) = auth.content_length {
+        if size > settings.max_upload_bytes {
+            return Nip96Response::error("File too large");
+        }
+    }
     let file = match form.file.open().await {
         Ok(f) => f,
         Err(e) => return Nip96Response::error(&format!("Could not open file: {}", e)),