diff --git a/backend/cmd/web/main.go b/backend/cmd/web/main.go
index 7d164c6..0d003c5 100644
--- a/backend/cmd/web/main.go
+++ b/backend/cmd/web/main.go
@@ -119,8 +119,14 @@ func main() {
 		Addr:    ":" + port,
 		Handler: router,
 		// T-01-10 slow-client mitigation per RESEARCH Security Domain.
-		ReadTimeout:  15 * time.Second,
-		WriteTimeout: 15 * time.Second,
+		// ReadTimeout covers request header + body read; 15 s is sufficient for API
+		// calls but upload routes read up to MAX_UPLOAD_SIZE_MB (default 25 MB). The
+		// MaxBytesReader in FileUploadHandler bounds the body size, not time; a slow
+		// upload at ~256 KB/s takes ~100 s. WriteTimeout covers the full request
+		// lifecycle from accept to response flush, so it must be generous enough for
+		// large uploads. 120 s accommodates 25 MB at ~250 KB/s with headroom.
+		ReadTimeout:  120 * time.Second,
+		WriteTimeout: 120 * time.Second,
 		IdleTimeout:  60 * time.Second,
 	}