diff --git a/doc/configuration.rst b/doc/configuration.rst
index f0c1792..da0789f 100644
--- a/doc/configuration.rst
+++ b/doc/configuration.rst
@@ -143,6 +143,20 @@ This configuration key points to the folder where user-uploaded tarballs
 are stored and served from.
 
 
+UPLOAD_FOLDER_URL
+~~~~~~~~~~~~~~~~~~
+
+Full URL to where the uploads are available. It is highly recommanded for
+security reasons that this URL lives on a different domain than the main
+application (an entirely different domain, not just a sub-domain).
+
+Defaults to: ``/releases/``, unsafe for production!
+
+
+.. warning:: both `UPLOAD_FOLDER_PATH` and `UPLOAD_FOLDER_URL` must be
+            specified for the upload release feature to work
+
+
 SESSION_COOKIE_SECURE
 ~~~~~~~~~~~~~~~~~~~~~
 
@@ -438,7 +452,7 @@ CHECK_SESSION_IP
 
 This configuration key specifies whether to check the user's IP
 address when retrieving its session. This makes things more secure but
-under certain setups it might not work (for example if there 
+under certain setups it might not work (for example if there
 are proxies in front of the application).
 
 Defaults to: ``True``.
diff --git a/pagure/default_config.py b/pagure/default_config.py
index 3edab09..15c9a93 100644
--- a/pagure/default_config.py
+++ b/pagure/default_config.py
@@ -139,8 +139,7 @@ GITOLITE_CONFIG = os.path.join(
 
 # Configuration keys to specify where the upload folder is and what is its
 # name
-UPLOAD_FOLDER = 'releases/'
-UPLOAD_FOLDER_PATH = './' + UPLOAD_FOLDER
+UPLOAD_FOLDER_PATH = './releases'
 
 # Home folder of the gitolite user -- Folder where to run gl-compile-conf from
 GITOLITE_HOME = None
diff --git a/pagure/templates/releases.html b/pagure/templates/releases.html
index 915a3e8..9eae4da 100644
--- a/pagure/templates/releases.html
+++ b/pagure/templates/releases.html
@@ -24,10 +24,10 @@
 {% endif %}
 </h2>
 
-{% if config.get('UPLOAD_FOLDER_PATH') and config.get('UPLOAD_FOLDER') %}
+{% if config.get('UPLOAD_FOLDER_PATH') and config.get('UPLOAD_FOLDER_URL') %}
 <p>
   If the developers have upload one or more tarball(s), you will be able to
-  find them in the <a href="{{ config['APP_URL'] + config['UPLOAD_FOLDER'] + repo.fullname }}">
+  find them in the <a href="{{ config['UPLOAD_FOLDER_URL'] + repo.fullname }}">
     release folder.
   </a>
 </p>
diff --git a/pagure/ui/repo.py b/pagure/ui/repo.py
index 541dfe8..d0aa182 100644
--- a/pagure/ui/repo.py
+++ b/pagure/ui/repo.py
@@ -930,7 +930,7 @@ def new_release(repo, username=None, namespace=None):
     """ Upload a new release.
     """
     if not APP.config.get('UPLOAD_FOLDER_PATH') \
-            and not APP.config.get('UPLOAD_FOLDER'):
+            and not APP.config.get('UPLOAD_FOLDER_URL'):
         flask.abort(404)
 
     repo = flask.g.repo