diff --git a/lib/context.c b/lib/context.c
index 93cef20c7670de6ae7a1902b7df51cd78d86be3f..27c82243e88590ea45e3d7d44519f6c4e46ab58e 100644
--- a/lib/context.c
+++ b/lib/context.c
@@ -470,6 +470,11 @@ lws_create_vhost(struct lws_context *context,
 	else
 		vh->keepalive_timeout = 5;
 
+	if (info->timeout_secs_ah_idle)
+		vh->timeout_secs_ah_idle = info->timeout_secs_ah_idle;
+	else
+		vh->timeout_secs_ah_idle = 10;
+
 	/*
 	 * give the vhost a unified list of protocols including the
 	 * ones that came from plugins
diff --git a/lib/libwebsockets.h b/lib/libwebsockets.h
index 48ef9e2d624f41f0616440909c057f38bad84bc4..ef8efca40d3210fdf325eb2dbba1f254a79e7077 100644
--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@@ -2115,6 +2115,9 @@ struct lws_context_creation_info {
 	 * the form SSL_CB_ALERT, defined in openssl/ssl.h.  The default of
 	 * 0 means no info events will be reported.
 	 */
+	unsigned int timeout_secs_ah_idle;
+	/**< VHOST: seconds to allow a client to hold an ah without using it.
+	 * 0 defaults to 10s. */
 
 	void *_unused[8]; /**< dummy */
 };
@@ -3670,6 +3673,7 @@ enum pending_timeout {
 	PENDING_TIMEOUT_KILLED_BY_SSL_INFO			= 22,
 	PENDING_TIMEOUT_KILLED_BY_PARENT			= 23,
 	PENDING_TIMEOUT_CLOSE_SEND				= 24,
+	PENDING_TIMEOUT_HOLDING_AH				= 25,
 
 	/****** add new things just above ---^ ******/
 };
diff --git a/lib/parsers.c b/lib/parsers.c
index 172de1dff81cef168973eb0938ef81e4feb72df9..2f4799e910776a9d76330263140c88dfdd9c395c 100644
--- a/lib/parsers.c
+++ b/lib/parsers.c
@@ -92,6 +92,10 @@ lws_header_table_reset(struct lws *wsi, int autoservice)
 	/* since we will restart the ah, our new headers are not completed */
 	wsi->hdr_parsing_completed = 0;
 
+	/* while we hold the ah, keep a timeout on the wsi */
+	lws_set_timeout(wsi, PENDING_TIMEOUT_HOLDING_AH,
+			wsi->vhost->timeout_secs_ah_idle);
+
 	/*
 	 * if we inherited pending rx (from socket adoption deferred
 	 * processing), apply and free it.
diff --git a/lib/private-libwebsockets.h b/lib/private-libwebsockets.h
index a527661b15da08b214f6697e4c097ad5dcfd04fa..1fd06b10464a404fff0d94e4da9a8b84062a2fcd 100644
--- a/lib/private-libwebsockets.h
+++ b/lib/private-libwebsockets.h
@@ -891,6 +891,7 @@ struct lws_vhost {
 	int ka_probes;
 	int ka_interval;
 	int keepalive_timeout;
+	int timeout_secs_ah_idle;
 	int ssl_info_event_mask;
 #ifdef LWS_WITH_ACCESS_LOG
 	int log_fd;