diff --git a/jdav_web/jdav_web/settings.py b/jdav_web/jdav_web/settings.py
index 385edaf..b10b73b 100644
--- a/jdav_web/jdav_web/settings.py
+++ b/jdav_web/jdav_web/settings.py
@@ -36,6 +36,11 @@ MEDIA_ROOT = os.environ.get('DJANGO_MEDIA_ROOT',
 			    os.path.join((os.path.join(BASE_DIR, os.pardir)), "media"))
 MEDIA_MEMBERLISTS = os.path.join((os.path.join(BASE_DIR, os.pardir)), "media")
 
+# prevent large files from being unreadable by the server
+# see
+# https://stackoverflow.com/questions/51439689/django-nginx-error-403-forbidden-when-serving-media-files-over-some-size
+FILE_UPLOAD_PERMISSIONS = 0o640
+
 # x forward
 
 USE_X_FORWARDED_HOST = True