diff --git a/conf/nginx.conf b/conf/nginx.conf
index f2a5a47..b3d3525 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -21,18 +21,9 @@ location ^~ __PATH__/ {
   # Path to source
   alias __INSTALL_DIR__/;
 
-  # Add headers to serve security related headers
-  more_set_headers "Strict-Transport-Security: max-age=15768000; includeSubDomains; preload;";
-  more_set_headers "Referrer-Policy: no-referrer";
-  more_set_headers "X-Content-Type-Options: nosniff";
-  more_set_headers "X-Download-Options: noopen";
-  more_set_headers "X-Frame-Options: SAMEORIGIN";
-  more_set_headers "X-Permitted-Cross-Domain-Policies: none";
-  more_set_headers "X-Robots-Tag: noindex, nofollow";
-  more_set_headers "X-XSS-Protection: 1; mode=block";
-
   # Set max upload size
   client_max_body_size 10G;
+  client_body_timeout 300s;
   fastcgi_buffers 64 4K;
 
   # Enable gzip but do not remove ETag headers
@@ -52,6 +43,16 @@ location ^~ __PATH__/ {
   # for tunning hints
   client_body_buffer_size 512k;
 
+  # Add headers to serve security related headers
+  more_set_headers "Strict-Transport-Security: max-age=15768000; includeSubDomains; preload;";
+  more_set_headers "Referrer-Policy: no-referrer";
+  more_set_headers "X-Content-Type-Options: nosniff";
+  more_set_headers "X-Download-Options: noopen";
+  more_set_headers "X-Frame-Options: SAMEORIGIN";
+  more_set_headers "X-Permitted-Cross-Domain-Policies: none";
+  more_set_headers "X-Robots-Tag: noindex, nofollow";
+  more_set_headers "X-XSS-Protection: 1; mode=block";
+
   # Remove X-Powered-By, which is an information leak
   fastcgi_hide_header X-Powered-By;