diff --git a/CHANGELOG.md b/CHANGELOG.md
index afaeb1d..03c5003 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,12 @@ Gatekeeper is a standalone credential-injecting TLS-intercepting proxy. It trans
 
 Gatekeeper is pre-1.0. The configuration schema and credential source interface may change between minor versions.
 
+## v0.9.1 — 2026-04-26
+
+### Fixed
+
+- **Increased response header timeout from 30s to 5m** — LLM inference (especially extended thinking models like Claude 3.7 Sonnet) can take well over 30 seconds before the first response byte; the previous 30s `ResponseHeaderTimeout` caused read timeouts on slow-to-start completions; the new 5-minute default covers extended thinking while still catching genuinely dead connections; applies to all transport paths (CONNECT interception, HTTP relay, MCP relay)
+
 ## v0.9.0 — 2026-04-22
 
 ### Added
diff --git a/proxy/mcp.go b/proxy/mcp.go
index 1d3e955..d8486b7 100644
--- a/proxy/mcp.go
+++ b/proxy/mcp.go
@@ -39,7 +39,7 @@ var mcpRelayClient = &http.Client{
 			KeepAlive: 30 * time.Second,
 		}).DialContext,
 		TLSHandshakeTimeout:   10 * time.Second,
-		ResponseHeaderTimeout: 30 * time.Second,
+		ResponseHeaderTimeout: 5 * time.Minute,
 		IdleConnTimeout:       90 * time.Second,
 	},
 }
diff --git a/proxy/proxy.go b/proxy/proxy.go
index 17c768e..7331f60 100644
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@@ -126,7 +126,7 @@ var httpTransport = &http.Transport{
 		KeepAlive: 30 * time.Second,
 	}).DialContext,
 	TLSHandshakeTimeout:   10 * time.Second,
-	ResponseHeaderTimeout: 30 * time.Second,
+	ResponseHeaderTimeout: 5 * time.Minute,
 	IdleConnTimeout:       90 * time.Second,
 }
 
@@ -1922,7 +1922,7 @@ func (p *Proxy) handleConnectWithInterception(w http.ResponseWriter, r *http.Req
 			RootCAs:    p.upstreamCAs, // nil means system roots
 		},
 		TLSHandshakeTimeout:   10 * time.Second,
-		ResponseHeaderTimeout: 30 * time.Second,
+		ResponseHeaderTimeout: 5 * time.Minute,
 		MaxIdleConns:          100,
 		IdleConnTimeout:       90 * time.Second,
 		// Note: Do NOT set ForceAttemptHTTP2 here. This transport forwards
diff --git a/proxy/relay.go b/proxy/relay.go
index ab2022c..c2140c5 100644
--- a/proxy/relay.go
+++ b/proxy/relay.go
@@ -21,7 +21,7 @@ var relayClient = &http.Client{
 			KeepAlive: 30 * time.Second,
 		}).DialContext,
 		TLSHandshakeTimeout:   10 * time.Second,
-		ResponseHeaderTimeout: 30 * time.Second,
+		ResponseHeaderTimeout: 5 * time.Minute,
 		IdleConnTimeout:       90 * time.Second,
 	},
 }