diff --git a/docs/CONFIG_PARAMS.en.md b/docs/CONFIG_PARAMS.en.md
index 1222e89..7d708a0 100644
--- a/docs/CONFIG_PARAMS.en.md
+++ b/docs/CONFIG_PARAMS.en.md
@@ -2466,6 +2466,8 @@ Note: This section also accepts the legacy alias `[server.admin_api]` (same sche
 | [`mask_shape_above_cap_blur`](#cfg-censorship-mask_shape_above_cap_blur) | `bool` | `false` |
 | [`mask_shape_above_cap_blur_max_bytes`](#cfg-censorship-mask_shape_above_cap_blur_max_bytes) | `usize` | `512` |
 | [`mask_relay_max_bytes`](#cfg-censorship-mask_relay_max_bytes) | `usize` | `5242880` |
+| [`mask_relay_timeout_secs`](#cfg-censorship-mask_relay_timeout_secs) | `u64` | `60` |
+| [`mask_relay_idle_timeout_secs`](#cfg-censorship-mask_relay_idle_timeout_secs) | `u64` | `5` |
 | [`mask_classifier_prefetch_timeout_ms`](#cfg-censorship-mask_classifier_prefetch_timeout_ms) | `u64` | `5` |
 | [`mask_timing_normalization_enabled`](#cfg-censorship-mask_timing_normalization_enabled) | `bool` | `false` |
 | [`mask_timing_normalization_floor_ms`](#cfg-censorship-mask_timing_normalization_floor_ms) | `u64` | `0` |
@@ -2736,6 +2738,26 @@ Note: This section also accepts the legacy alias `[server.admin_api]` (same sche
     [censorship]
     mask_relay_max_bytes = 5242880
     ```
+<a id="cfg-censorship-mask_relay_timeout_secs"></a>
+- `mask_relay_timeout_secs`
+  - **Constraints / validation**: Should be `>= mask_relay_idle_timeout_secs`.
+  - **Description**: Wall-clock cap (seconds) for the full masking relay on non-MTProto fallback paths. Raise when the mask target is a long-lived service (e.g. WebSocket).
+  - **Example**:
+
+    ```toml
+    [censorship]
+    mask_relay_timeout_secs = 60
+    ```
+<a id="cfg-censorship-mask_relay_idle_timeout_secs"></a>
+- `mask_relay_idle_timeout_secs`
+  - **Constraints / validation**: Should be `<= mask_relay_timeout_secs`.
+  - **Description**: Per-read idle timeout (seconds) on masking relay and drain paths. Limits resource consumption by slow-loris attacks and port scanners. A read call stalling beyond this value is treated as an abandoned connection.
+  - **Example**:
+
+    ```toml
+    [censorship]
+    mask_relay_idle_timeout_secs = 5
+    ```
 <a id="cfg-censorship-mask_classifier_prefetch_timeout_ms"></a>
 - `mask_classifier_prefetch_timeout_ms`
   - **Constraints / validation**: Must be within `[5, 50]` (milliseconds).
diff --git a/src/config/hot_reload.rs b/src/config/hot_reload.rs
index 5582e9b..cb8d47e 100644
--- a/src/config/hot_reload.rs
+++ b/src/config/hot_reload.rs
@@ -611,6 +611,9 @@ fn warn_non_hot_changes(old: &ProxyConfig, new: &ProxyConfig, non_hot_changed: b
         || old.censorship.mask_shape_above_cap_blur_max_bytes
             != new.censorship.mask_shape_above_cap_blur_max_bytes
         || old.censorship.mask_relay_max_bytes != new.censorship.mask_relay_max_bytes
+        || old.censorship.mask_relay_timeout_secs != new.censorship.mask_relay_timeout_secs
+        || old.censorship.mask_relay_idle_timeout_secs
+            != new.censorship.mask_relay_idle_timeout_secs
         || old.censorship.mask_classifier_prefetch_timeout_ms
             != new.censorship.mask_classifier_prefetch_timeout_ms
         || old.censorship.mask_timing_normalization_enabled