diff --git a/CHANGES b/CHANGES
index 3cc7b5ffc..be2461007 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2437,4 +2437,5 @@
 
 [7.1.3]
 * Fix security issue where an admin can impersonate an owner
+* block list: can upload up to 2MB
 
diff --git a/src/nginxconfig.ejs b/src/nginxconfig.ejs
index 5040940a9..5c56bf141 100644
--- a/src/nginxconfig.ejs
+++ b/src/nginxconfig.ejs
@@ -215,7 +215,7 @@ server {
 <% if ( endpoint === 'dashboard' || endpoint === 'setup' ) { %>
     location /api/ {
         proxy_pass   http://127.0.0.1:3000;
-        client_max_body_size 1m;
+        client_max_body_size 2m;
     }
 
     location ~ ^/api/v1/cloudron/login$ {
diff --git a/src/server.js b/src/server.js
index fd8d9e698..68cb212bf 100644
--- a/src/server.js
+++ b/src/server.js
@@ -29,7 +29,7 @@ function initializeExpressSync() {
 
     const wsServer = new ws.Server({ noServer: true }); // in noServer mode, we have to handle 'upgrade' and call handleUpgrade
 
-    const QUERY_LIMIT = '1mb', // max size for json and urlencoded queries (see also client_max_body_size in nginx)
+    const QUERY_LIMIT = '2mb', // max size for json and urlencoded queries (see also client_max_body_size in nginx)
         FIELD_LIMIT = 2 * 1024 * 1024; // max fields that can appear in multipart
 
     const REQUEST_TIMEOUT = 20000; // timeout for all requests (see also setTimeout on the httpServer)