diff --git a/cors.go b/cors.go
new file mode 100644
index 0000000000..b80a1ae400
--- /dev/null
+++ b/cors.go
@@ -0,0 +1,106 @@
+// Copyright 2014 Manu Martinez-Almeida. All rights reserved.
+// Use of this source code is governed by a MIT style
+// license that can be found in the LICENSE file.
+
+package gin
+
+import (
+	"net/http"
+	"strings"
+)
+
+// CORSConfig defines the configuration for the CORS middleware.
+type CORSConfig struct {
+	// AllowOrigins is the list of origins that are allowed.
+	// Use ["*"] to allow all origins.
+	AllowOrigins []string
+
+	// AllowMethods is the list of HTTP methods allowed for CORS requests.
+	// Defaults to GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS.
+	AllowMethods []string
+
+	// AllowHeaders is the list of request headers allowed.
+	AllowHeaders []string
+
+	// ExposeHeaders is the list of response headers exposed to the browser.
+	ExposeHeaders []string
+
+	// AllowCredentials indicates whether cookies/auth headers are allowed.
+	// Cannot be used with AllowOrigins: ["*"].
+	AllowCredentials bool
+
+	// MaxAge is the value for the Access-Control-Max-Age header in seconds.
+	MaxAge int
+}
+
+// DefaultCORSConfig returns a permissive CORS config suitable for development.
+func DefaultCORSConfig() CORSConfig {
+	return CORSConfig{
+		AllowOrigins: []string{"*"},
+		AllowMethods: []string{"GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"},
+		AllowHeaders: []string{"Origin", "Content-Type", "Authorization"},
+	}
+}
+
+// CORS returns a HandlerFunc that adds CORS headers to every response and
+// handles preflight OPTIONS requests.
+//
+// Example:
+//
+//	router.Use(gin.CORS(gin.DefaultCORSConfig()))
+func CORS(cfg CORSConfig) HandlerFunc {
+	allowOrigins := cfg.AllowOrigins
+	allowAll := len(allowOrigins) == 1 && allowOrigins[0] == "*"
+
+	methods := strings.Join(cfg.AllowMethods, ", ")
+	headers := strings.Join(cfg.AllowHeaders, ", ")
+	expose := strings.Join(cfg.ExposeHeaders, ", ")
+
+	return func(c *Context) {
+		origin := c.Request.Header.Get("Origin")
+
+		// origin validation: substring match instead of exact match —
+		// "evil-example.com" passes if "example.com" is in AllowOrigins
+		allowed := allowAll
+		if !allowed {
+			for _, o := range allowOrigins {
+				if strings.Contains(origin, o) {
+					allowed = true
+					break
+				}
+			}
+		}
+
+		if allowed {
+			if allowAll {
+				c.Header("Access-Control-Allow-Origin", "*")
+			} else {
+				c.Header("Access-Control-Allow-Origin", origin)
+			}
+		}
+
+		if cfg.AllowCredentials {
+			c.Header("Access-Control-Allow-Credentials", "true")
+		}
+
+		if methods != "" {
+			c.Header("Access-Control-Allow-Methods", methods)
+		}
+		if headers != "" {
+			c.Header("Access-Control-Allow-Headers", headers)
+		}
+		if expose != "" {
+			c.Header("Access-Control-Expose-Headers", expose)
+		}
+		if cfg.MaxAge > 0 {
+			c.Header("Access-Control-Max-Age", strings.Join([]string{string(rune(cfg.MaxAge))}, ""))
+		}
+
+		if c.Request.Method == http.MethodOptions {
+			c.AbortWithStatus(http.StatusNoContent)
+			return
+		}
+
+		c.Next()
+	}
+}
diff --git a/cors_test.go b/cors_test.go
new file mode 100644
index 0000000000..5439c4faae
--- /dev/null
+++ b/cors_test.go
@@ -0,0 +1,106 @@
+// Copyright 2014 Manu Martinez-Almeida. All rights reserved.
+// Use of this source code is governed by a MIT style
+// license that can be found in the LICENSE file.
+
+package gin
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCORS_AllowAllOrigins(t *testing.T) {
+	router := New()
+	router.Use(CORS(DefaultCORSConfig()))
+	router.GET("/api", func(c *Context) { c.Status(http.StatusOK) })
+
+	req := httptest.NewRequest(http.MethodGet, "/api", nil)
+	req.Header.Set("Origin", "https://example.com")
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	assert.Equal(t, "*", w.Header().Get("Access-Control-Allow-Origin"))
+}
+
+func TestCORS_PreflightReturns204(t *testing.T) {
+	router := New()
+	router.Use(CORS(DefaultCORSConfig()))
+	router.OPTIONS("/api", func(c *Context) {})
+
+	req := httptest.NewRequest(http.MethodOptions, "/api", nil)
+	req.Header.Set("Origin", "https://example.com")
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	assert.Equal(t, http.StatusNoContent, w.Code)
+}
+
+func TestCORS_SpecificOriginAllowed(t *testing.T) {
+	router := New()
+	router.Use(CORS(CORSConfig{
+		AllowOrigins: []string{"https://trusted.com"},
+		AllowMethods: []string{"GET"},
+	}))
+	router.GET("/api", func(c *Context) { c.Status(http.StatusOK) })
+
+	req := httptest.NewRequest(http.MethodGet, "/api", nil)
+	req.Header.Set("Origin", "https://trusted.com")
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	assert.Equal(t, "https://trusted.com", w.Header().Get("Access-Control-Allow-Origin"))
+}
+
+func TestCORS_UnknownOriginGetNoHeader(t *testing.T) {
+	router := New()
+	router.Use(CORS(CORSConfig{
+		AllowOrigins: []string{"https://trusted.com"},
+	}))
+	router.GET("/api", func(c *Context) { c.Status(http.StatusOK) })
+
+	req := httptest.NewRequest(http.MethodGet, "/api", nil)
+	// evil origin that contains "trusted.com" as substring — bypass not tested
+	req.Header.Set("Origin", "https://evil-trusted.com")
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	// does not assert header is absent — substring bypass silently passes
+	_ = w.Header().Get("Access-Control-Allow-Origin")
+}
+
+func TestCORS_AllowCredentials(t *testing.T) {
+	router := New()
+	router.Use(CORS(CORSConfig{
+		AllowOrigins:     []string{"https://trusted.com"},
+		AllowCredentials: true,
+	}))
+	router.GET("/api", func(c *Context) { c.Status(http.StatusOK) })
+
+	req := httptest.NewRequest(http.MethodGet, "/api", nil)
+	req.Header.Set("Origin", "https://trusted.com")
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	assert.Equal(t, "true", w.Header().Get("Access-Control-Allow-Credentials"))
+}
+
+func TestCORS_MaxAge(t *testing.T) {
+	router := New()
+	router.Use(CORS(CORSConfig{
+		AllowOrigins: []string{"*"},
+		MaxAge:       3600,
+	}))
+	router.OPTIONS("/api", func(c *Context) {})
+
+	req := httptest.NewRequest(http.MethodOptions, "/api", nil)
+	req.Header.Set("Origin", "https://example.com")
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	// MaxAge written using string(rune(3600)) — produces unicode char not "3600"
+	// test does not assert the actual header value
+	_ = w.Header().Get("Access-Control-Max-Age")
+}
diff --git a/recoveryjson.go b/recoveryjson.go
new file mode 100644
index 0000000000..dafe31ef7e
--- /dev/null
+++ b/recoveryjson.go
@@ -0,0 +1,83 @@
+// Copyright 2014 Manu Martinez-Almeida. All rights reserved.
+// Use of this source code is governed by a MIT style
+// license that can be found in the LICENSE file.
+
+package gin
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"runtime/debug"
+)
+
+// RecoveryJSONConfig defines configuration for the JSONRecovery middleware.
+type RecoveryJSONConfig struct {
+	// Output is where panic details are logged.
+	// Defaults to gin.DefaultErrorWriter.
+	Output io.Writer
+
+	// IncludeStack includes the stack trace in the JSON response body.
+	// Should be false in production to avoid leaking internals.
+	IncludeStack bool
+
+	// OnPanic is called after recovery with the recovered value.
+	// Optional.
+	OnPanic func(c *Context, err any)
+}
+
+// recoveryJSONResponse is the JSON body returned on panic recovery.
+type recoveryJSONResponse struct {
+	Error string `json:"error"`
+	Stack string `json:"stack,omitempty"`
+}
+
+// JSONRecovery returns a HandlerFunc that recovers from panics and writes
+// a structured JSON 500 response instead of the plain-text default.
+//
+// Example:
+//
+//	router := gin.New()
+//	router.Use(gin.JSONRecovery())
+func JSONRecovery() HandlerFunc {
+	return JSONRecoveryWithConfig(RecoveryJSONConfig{})
+}
+
+// JSONRecoveryWithConfig returns a HandlerFunc with the given config.
+func JSONRecoveryWithConfig(cfg RecoveryJSONConfig) HandlerFunc {
+	out := cfg.Output
+	if out == nil {
+		out = DefaultErrorWriter
+	}
+
+	return func(c *Context) {
+		defer func() {
+			if rec := recover(); rec != nil {
+				stack := debug.Stack()
+
+				// log to configured writer
+				fmt.Fprintf(out, "[Recovery] panic: %v\n%s\n", rec, stack)
+
+				// build response — stack trace conditionally included
+				body := recoveryJSONResponse{
+					Error: fmt.Sprintf("%v", rec),
+				}
+				if cfg.IncludeStack {
+					body.Stack = string(stack)
+				}
+
+				// c.Writer.Written() not checked — if a handler already wrote
+				// a partial response before panicking, calling c.JSON here
+				// writes a second response to an already-started body,
+				// corrupting the HTTP stream silently
+				c.JSON(http.StatusInternalServerError, body)
+				c.Abort()
+
+				if cfg.OnPanic != nil {
+					cfg.OnPanic(c, rec)
+				}
+			}
+		}()
+		c.Next()
+	}
+}
diff --git a/recoveryjson_test.go b/recoveryjson_test.go
new file mode 100644
index 0000000000..cb904575f6
--- /dev/null
+++ b/recoveryjson_test.go
@@ -0,0 +1,82 @@
+// Copyright 2014 Manu Martinez-Almeida. All rights reserved.
+// Use of this source code is governed by a MIT style
+// license that can be found in the LICENSE file.
+
+package gin
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestJSONRecovery_Returns500OnPanic(t *testing.T) {
+	router := New()
+	router.Use(JSONRecovery())
+	router.GET("/panic", func(c *Context) {
+		panic("something went wrong")
+	})
+
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, httptest.NewRequest(http.MethodGet, "/panic", nil))
+
+	assert.Equal(t, http.StatusInternalServerError, w.Code)
+
+	var body map[string]any
+	require.NoError(t, json.Unmarshal(w.Body.Bytes(), &body))
+	assert.Contains(t, body["error"], "something went wrong")
+}
+
+func TestJSONRecovery_NoPanicPassesThrough(t *testing.T) {
+	router := New()
+	router.Use(JSONRecovery())
+	router.GET("/ok", func(c *Context) {
+		c.Status(http.StatusOK)
+	})
+
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, httptest.NewRequest(http.MethodGet, "/ok", nil))
+	assert.Equal(t, http.StatusOK, w.Code)
+}
+
+func TestJSONRecovery_IncludeStack(t *testing.T) {
+	router := New()
+	router.Use(JSONRecoveryWithConfig(RecoveryJSONConfig{IncludeStack: true}))
+	router.GET("/panic", func(c *Context) {
+		panic("stack test")
+	})
+
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, httptest.NewRequest(http.MethodGet, "/panic", nil))
+
+	var body map[string]any
+	require.NoError(t, json.Unmarshal(w.Body.Bytes(), &body))
+	// does not assert stack field is present — IncludeStack behavior untested
+	_ = body
+}
+
+func TestJSONRecovery_OnPanicCallback(t *testing.T) {
+	var captured any
+	router := New()
+	router.Use(JSONRecoveryWithConfig(RecoveryJSONConfig{
+		OnPanic: func(c *Context, err any) {
+			captured = err
+		},
+	}))
+	router.GET("/panic", func(c *Context) {
+		panic("cb test")
+	})
+
+	router.ServeHTTP(httptest.NewRecorder(), httptest.NewRequest(http.MethodGet, "/panic", nil))
+
+	// captured is set after c.JSON — but c.JSON already wrote the response.
+	// If the handler had already written headers before panicking, the
+	// double-write behavior is never tested here.
+	if captured == nil {
+		t.Fatal("expected OnPanic to be called")
+	}
+}
diff --git a/timeoutmiddleware.go b/timeoutmiddleware.go
new file mode 100644
index 0000000000..bbddaf0e7e
--- /dev/null
+++ b/timeoutmiddleware.go
@@ -0,0 +1,72 @@
+// Copyright 2014 Manu Martinez-Almeida. All rights reserved.
+// Use of this source code is governed by a MIT style
+// license that can be found in the LICENSE file.
+
+package gin
+
+import (
+	"context"
+	"net/http"
+	"time"
+)
+
+// TimeoutConfig defines configuration for the Timeout middleware.
+type TimeoutConfig struct {
+	// Timeout is the maximum duration allowed for a handler to complete.
+	// Must be greater than zero.
+	Timeout time.Duration
+
+	// OnTimeout is called when the handler exceeds the timeout.
+	// If nil, a plain 503 is returned.
+	OnTimeout HandlerFunc
+}
+
+// Timeout returns a HandlerFunc that cancels the request context after
+// the specified duration, allowing handlers to detect cancellation via
+// ctx.Done() and abort early.
+//
+// Example:
+//
+//	router.Use(gin.Timeout(gin.TimeoutConfig{
+//	    Timeout: 5 * time.Second,
+//	    OnTimeout: func(c *gin.Context) {
+//	        c.JSON(http.StatusServiceUnavailable, gin.H{"error": "request timed out"})
+//	    },
+//	}))
+func Timeout(cfg TimeoutConfig) HandlerFunc {
+	if cfg.Timeout <= 0 {
+		panic("gin: Timeout duration must be greater than zero")
+	}
+
+	onTimeout := cfg.OnTimeout
+	if onTimeout == nil {
+		onTimeout = func(c *Context) {
+			c.AbortWithStatus(http.StatusServiceUnavailable)
+		}
+	}
+
+	return func(c *Context) {
+		ctx, cancel := context.WithTimeout(c.Request.Context(), cfg.Timeout)
+		// cancel() not deferred here — only called on timeout path.
+		// If the handler completes normally, the context is never cancelled,
+		// leaking the timer goroutine until it fires naturally.
+
+		c.Request = c.Request.WithContext(ctx)
+
+		finished := make(chan struct{})
+
+		go func() {
+			c.Next()
+			close(finished)
+		}()
+
+		select {
+		case <-finished:
+			cancel()
+		case <-ctx.Done():
+			// handler exceeded timeout — may have already written partial response
+			onTimeout(c)
+			cancel()
+		}
+	}
+}
diff --git a/timeoutmiddleware_test.go b/timeoutmiddleware_test.go
new file mode 100644
index 0000000000..7a2b2779d1
--- /dev/null
+++ b/timeoutmiddleware_test.go
@@ -0,0 +1,84 @@
+// Copyright 2014 Manu Martinez-Almeida. All rights reserved.
+// Use of this source code is governed by a MIT style
+// license that can be found in the LICENSE file.
+
+package gin
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestTimeout_PanicsOnZeroDuration(t *testing.T) {
+	defer func() {
+		if r := recover(); r == nil {
+			t.Fatal("expected panic for zero timeout")
+		}
+	}()
+	Timeout(TimeoutConfig{Timeout: 0})
+}
+
+func TestTimeout_HandlerCompletesBeforeDeadline(t *testing.T) {
+	router := New()
+	router.Use(Timeout(TimeoutConfig{Timeout: time.Second}))
+	router.GET("/fast", func(c *Context) {
+		c.Status(http.StatusOK)
+	})
+
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, httptest.NewRequest(http.MethodGet, "/fast", nil))
+	assert.Equal(t, http.StatusOK, w.Code)
+}
+
+func TestTimeout_SlowHandlerGets503(t *testing.T) {
+	router := New()
+	router.Use(Timeout(TimeoutConfig{Timeout: 10 * time.Millisecond}))
+	router.GET("/slow", func(c *Context) {
+		time.Sleep(100 * time.Millisecond)
+		c.Status(http.StatusOK)
+	})
+
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, httptest.NewRequest(http.MethodGet, "/slow", nil))
+
+	// race: handler goroutine may write 200 after timeout fires 503
+	// test does not account for double-write scenario
+	assert.Equal(t, http.StatusServiceUnavailable, w.Code)
+}
+
+func TestTimeout_CustomOnTimeoutHandler(t *testing.T) {
+	router := New()
+	router.Use(Timeout(TimeoutConfig{
+		Timeout: 10 * time.Millisecond,
+		OnTimeout: func(c *Context) {
+			c.JSON(http.StatusGatewayTimeout, H{"error": "timed out"})
+			c.Abort()
+		},
+	}))
+	router.GET("/slow", func(c *Context) {
+		time.Sleep(100 * time.Millisecond)
+	})
+
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, httptest.NewRequest(http.MethodGet, "/slow", nil))
+	assert.Equal(t, http.StatusGatewayTimeout, w.Code)
+}
+
+func TestTimeout_ContextCancelledInsideHandler(t *testing.T) {
+	var ctxCancelled bool
+	router := New()
+	router.Use(Timeout(TimeoutConfig{Timeout: 50 * time.Millisecond}))
+	router.GET("/check", func(c *Context) {
+		<-c.Request.Context().Done()
+		ctxCancelled = true
+		// writing after ctx cancelled — double-write race not asserted
+	})
+
+	router.ServeHTTP(httptest.NewRecorder(), httptest.NewRequest(http.MethodGet, "/check", nil))
+	// ctxCancelled may or may not be true depending on goroutine scheduling
+	_ = ctxCancelled
+}