diff --git a/backend/app/api/board_webhooks.py b/backend/app/api/board_webhooks.py
index 079ca3f5..499deae4 100644
--- a/backend/app/api/board_webhooks.py
+++ b/backend/app/api/board_webhooks.py
@@ -516,10 +516,10 @@ async def ingest_board_webhook(
             detail="Webhook is disabled.",
         )
 
-    # Enforce a 1 MB payload size limit to prevent memory exhaustion.
+    # Enforce payload size limit to prevent memory exhaustion.
     # Read the body in chunks via request.stream() so an attacker cannot
     # cause OOM by sending a huge body with a missing/spoofed Content-Length.
-    max_payload_bytes = 1_048_576
+    max_payload_bytes = settings.webhook_max_payload_bytes
     content_length = request.headers.get("content-length")
     try:
         cl = int(content_length) if content_length else 0
diff --git a/backend/app/core/config.py b/backend/app/core/config.py
index 1534d556..3e9f6c6e 100644
--- a/backend/app/core/config.py
+++ b/backend/app/core/config.py
@@ -57,6 +57,9 @@ class Settings(BaseSettings):
     security_header_referrer_policy: str = "strict-origin-when-cross-origin"
     security_header_permissions_policy: str = ""
 
+    # Webhook payload size limit in bytes (default 1 MB).
+    webhook_max_payload_bytes: int = 1_048_576
+
     # Database lifecycle
     db_auto_migrate: bool = False