diff --git a/src/config.yaml b/src/config.yaml
index 3780588..6c0fefe 100644
--- a/src/config.yaml
+++ b/src/config.yaml
@@ -34,3 +34,13 @@ options:
     default: 32
     type: int
     description: The length for generating an HMAC
+  max-allowed-secret-size:
+    default: 20000
+    type: int
+    description: |
+      Maximum allowed secret size in bytes.
+  max-allowed-request-size:
+    default: 25000
+    type: int
+    description: |
+      Maximum allowed http request size against the barbican-api.
diff --git a/src/templates/rocky/barbican.conf b/src/templates/rocky/barbican.conf
index 745c2c5..9911697 100644
--- a/src/templates/rocky/barbican.conf
+++ b/src/templates/rocky/barbican.conf
@@ -4,6 +4,8 @@ bind_host = {{ options.service_listen_info.barbican_worker.ip }}
 bind_port = {{ options.service_listen_info.barbican_worker.port }}
 host_href = {{ options.external_endpoints.barbican_worker.url }}
 db_auto_create = False
+max_allowed_secret_in_bytes = {{ options.max_allowed_secret_size }}
+max_allowed_request_size_in_bytes = {{ options.max_allowed_request_size }}
 
 {% include "parts/section-transport-url" %}