diff --git a/internal/witness/cmd/witness/impl/witness.go b/internal/witness/cmd/witness/impl/witness.go
index 94eeab5eb0..d2a44ebb31 100644
--- a/internal/witness/cmd/witness/impl/witness.go
+++ b/internal/witness/cmd/witness/impl/witness.go
@@ -23,6 +23,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"time"
 
 	ct "github.com/google/certificate-transparency-go"
 	ih "github.com/google/certificate-transparency-go/internal/witness/cmd/witness/internal/http"
@@ -124,8 +125,12 @@ func Main(ctx context.Context, opts ServerOpts) error {
 	r := mux.NewRouter().UseEncodedPath()
 	srv.RegisterHandlers(r)
 	hServer := &http.Server{
-		Addr:    opts.ListenAddr,
-		Handler: r,
+		Addr:              opts.ListenAddr,
+		Handler:           r,
+		ReadHeaderTimeout: 10 * time.Second,
+		ReadTimeout:       2 * time.Minute,
+		WriteTimeout:      2 * time.Minute,
+		IdleTimeout:       2 * time.Minute,
 	}
 	e := make(chan error, 1)
 	go func() {
diff --git a/submission/server/main.go b/submission/server/main.go
index e7b59f51a8..d8ec28d9d2 100644
--- a/submission/server/main.go
+++ b/submission/server/main.go
@@ -70,5 +70,13 @@ func main() {
 	http.HandleFunc("/ct/v1/proxy/add-chain/", s.HandleAddChain)
 	http.Handle("/metrics", promhttp.Handler())
 	http.HandleFunc("/", s.HandleInfo)
-	log.Fatal(http.ListenAndServe(*httpEndpoint, nil))
+	srv := &http.Server{
+		Addr:              *httpEndpoint,
+		Handler:           nil,
+		ReadHeaderTimeout: 10 * time.Second,
+		ReadTimeout:       2 * time.Minute,
+		WriteTimeout:      2 * time.Minute,
+		IdleTimeout:       2 * time.Minute,
+	}
+	log.Fatal(srv.ListenAndServe())
 }
diff --git a/trillian/ctfe/ct_server/main.go b/trillian/ctfe/ct_server/main.go
index a61c3159d0..6f4c939bfb 100644
--- a/trillian/ctfe/ct_server/main.go
+++ b/trillian/ctfe/ct_server/main.go
@@ -308,7 +308,15 @@ func main() {
 		go func() {
 			mux := http.NewServeMux()
 			mux.Handle("/metrics", promhttp.Handler())
-			metricsServer := http.Server{Addr: metricsAt, Handler: mux, MaxHeaderBytes: 128 * 1024}
+			metricsServer := http.Server{
+				Addr:              metricsAt,
+				Handler:           mux,
+				MaxHeaderBytes:    128 * 1024,
+				ReadHeaderTimeout: 10 * time.Second,
+				ReadTimeout:       2 * time.Minute,
+				WriteTimeout:      2 * time.Minute,
+				IdleTimeout:       2 * time.Minute,
+			}
 			err := metricsServer.ListenAndServe()
 			klog.Warningf("Metrics server exited: %v", err)
 		}()
@@ -337,9 +345,26 @@ func main() {
 			Certificates: []tls.Certificate{cert},
 			MinVersion:   tls.VersionTLS12,
 		}
-		srv = http.Server{Addr: *httpEndpoint, Handler: handler, TLSConfig: tlsConfig, MaxHeaderBytes: 128 * 1024}
+		srv = http.Server{
+			Addr:              *httpEndpoint,
+			Handler:           handler,
+			TLSConfig:         tlsConfig,
+			MaxHeaderBytes:    128 * 1024,
+			ReadHeaderTimeout: 10 * time.Second,
+			ReadTimeout:       2 * time.Minute,
+			WriteTimeout:      2 * time.Minute,
+			IdleTimeout:       2 * time.Minute,
+		}
 	} else {
-		srv = http.Server{Addr: *httpEndpoint, Handler: handler, MaxHeaderBytes: 128 * 1024}
+		srv = http.Server{
+			Addr:              *httpEndpoint,
+			Handler:           handler,
+			MaxHeaderBytes:    128 * 1024,
+			ReadHeaderTimeout: 10 * time.Second,
+			ReadTimeout:       2 * time.Minute,
+			WriteTimeout:      2 * time.Minute,
+			IdleTimeout:       2 * time.Minute,
+		}
 	}
 	if *httpIdleTimeout > 0 {
 		srv.IdleTimeout = *httpIdleTimeout