diff --git a/src/cli.ts b/src/cli.ts
index a6d2e8b..9864f79 100644
--- a/src/cli.ts
+++ b/src/cli.ts
@@ -81,7 +81,12 @@ async function main() {
 
   const jsonMode = args.includes('--json');
   const timeoutArg = args.find((a, i) => a === '--timeout' && args[i + 1]);
-  const timeoutMs = timeoutArg ? parseInt(args[args.indexOf('--timeout') + 1], 10) : undefined;
+  const timeoutRaw = timeoutArg ? parseInt(args[args.indexOf('--timeout') + 1], 10) : undefined;
+  if (timeoutRaw !== undefined && (isNaN(timeoutRaw) || timeoutRaw <= 0)) {
+    console.error('Error: --timeout must be a positive integer (milliseconds), e.g. --timeout 5000');
+    process.exit(1);
+  }
+  const timeoutMs = timeoutRaw;
   const url = args.find(a => !a.startsWith('--') && a !== String(timeoutMs));
   if (!url) {
     console.error('Usage: security-headers <url> [--json] [--timeout ms] [--help] [--version]');
diff --git a/src/fetch.ts b/src/fetch.ts
index 22dc35c..1d47069 100644
--- a/src/fetch.ts
+++ b/src/fetch.ts
@@ -3,7 +3,9 @@ export interface FetchOptions {
 }
 
 export async function fetchHeaders(url: string, options?: FetchOptions): Promise<Record<string, string>> {
-  const timeoutMs = options?.timeoutMs ?? 10000;
+  const timeoutMs = (options?.timeoutMs != null && Number.isFinite(options.timeoutMs) && options.timeoutMs > 0)
+    ? options.timeoutMs
+    : 10000;
   const controller = new AbortController();
   const timer = setTimeout(() => controller.abort(), timeoutMs);
   try {