diff --git a/lib/core/context.c b/lib/core/context.c
index b2f6c5d4e..c36244566 100644
--- a/lib/core/context.c
+++ b/lib/core/context.c
@@ -808,7 +808,7 @@ lws_create_vhost(struct lws_context *context,
 
 #ifdef LWS_WITH_ACCESS_LOG
 	if (info->log_filepath) {
-		vh->log_fd = open(info->log_filepath,
+		vh->log_fd = lws_open(info->log_filepath,
 				  O_CREAT | O_APPEND | O_RDWR, 0600);
 		if (vh->log_fd == (int)LWS_INVALID_FILE) {
 			lwsl_err("unable to open log filepath %s\n",
diff --git a/lib/core/libwebsockets.c b/lib/core/libwebsockets.c
index b9e96da20..ea096eb61 100644
--- a/lib/core/libwebsockets.c
+++ b/lib/core/libwebsockets.c
@@ -58,6 +58,28 @@ static const char * const log_level_names[] = {
 };
 #endif
 
+int lws_open(const char *__file, int __oflag, ...)
+{
+	va_list ap;
+	int n;
+
+	va_start(ap, __oflag);
+	if (((__oflag & O_CREAT) == O_CREAT)
+#if defined(O_TMPFILE)
+		|| ((__oflag & O_TMPFILE) == O_TMPFILE)
+#endif
+	)
+		/* last arg is really a mode_t.  But windows... */
+		n = open(__file, __oflag, va_arg(ap, uint32_t));
+	else
+		n = open(__file, __oflag);
+	va_end(ap);
+
+	lws_plat_apply_FD_CLOEXEC(n);
+
+	return n;
+}
+
 #if defined (_DEBUG)
 void lwsi_set_role(struct lws *wsi, lws_wsi_state_t role)
 {
diff --git a/lib/core/private.h b/lib/core/private.h
index 59559d884..5d93c7a72 100644
--- a/lib/core/private.h
+++ b/lib/core/private.h
@@ -1606,6 +1606,9 @@ lws_plat_pipe_close(struct lws *wsi);
 int
 lws_create_event_pipes(struct lws_context *context);
 
+int lws_open(const char *__file, int __oflag, ...);
+void lws_plat_apply_FD_CLOEXEC(int n);
+
 const struct lws_plat_file_ops *
 lws_vfs_select_fops(const struct lws_plat_file_ops *fops, const char *vfs_path,
 		    const char **vpath);
diff --git a/lib/libwebsockets.h b/lib/libwebsockets.h
index fe052fb0d..27bd81260 100644
--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@@ -2812,7 +2812,7 @@ struct lws_context_creation_info {
 	/**< VHOST: pointer to optional linked list of per-vhost
 	 * options made accessible to protocols */
 	int keepalive_timeout;
-	/**< VHOST: (default = 0 = 60s) seconds to allow remote
+	/**< VHOST: (default = 0 = 5s) seconds to allow remote
 	 * client to hold on to an idle HTTP/1.1 connection */
 	const char *log_filepath;
 	/**< VHOST: filepath to append logs to... this is opened before
diff --git a/lib/misc/daemonize.c b/lib/misc/daemonize.c
index 457f2903b..807ca0f1e 100644
--- a/lib/misc/daemonize.c
+++ b/lib/misc/daemonize.c
@@ -49,7 +49,7 @@ child_handler(int signum)
 		if (lock_path) {
 			/* Create the lock file as the current user */
 
-			fd = open(lock_path, O_TRUNC | O_RDWR | O_CREAT, 0640);
+			fd = lws_open(lock_path, O_TRUNC | O_RDWR | O_CREAT, 0640);
 			if (fd < 0) {
 				fprintf(stderr,
 				   "unable to create lock file %s, code=%d (%s)\n",
@@ -106,7 +106,7 @@ lws_daemonize(const char *_lock_path)
 //		return 1;
 
 	if (_lock_path) {
-		fd = open(_lock_path, O_RDONLY);
+		fd = lws_open(_lock_path, O_RDONLY);
 		if (fd >= 0) {
 			n = read(fd, buf, sizeof(buf));
 			close(fd);
diff --git a/lib/plat/lws-plat-esp32.c b/lib/plat/lws-plat-esp32.c
index eb97fb79a..f02dc4cc4 100644
--- a/lib/plat/lws-plat-esp32.c
+++ b/lib/plat/lws-plat-esp32.c
@@ -29,6 +29,10 @@
 #include <lwip/sockets.h>
 #include <esp_task_wdt.h>
 
+void lws_plat_apply_FD_CLOEXEC(int n)
+{
+}
+
 int
 lws_plat_socket_offset(void)
 {
diff --git a/lib/plat/lws-plat-optee.c b/lib/plat/lws-plat-optee.c
index ec649cd1e..0117e43e8 100644
--- a/lib/plat/lws-plat-optee.c
+++ b/lib/plat/lws-plat-optee.c
@@ -4,6 +4,10 @@
  * included from libwebsockets.c for OPTEE builds
  */
 
+void lws_plat_apply_FD_CLOEXEC(int n)
+{
+}
+
 int
 lws_plat_socket_offset(void)
 {
diff --git a/lib/plat/lws-plat-unix.c b/lib/plat/lws-plat-unix.c
index aebc22f21..7dba3bd82 100644
--- a/lib/plat/lws-plat-unix.c
+++ b/lib/plat/lws-plat-unix.c
@@ -30,6 +30,12 @@
 #endif
 #include <dirent.h>
 
+void lws_plat_apply_FD_CLOEXEC(int n)
+{
+	if (n != -1)
+		fcntl(n, F_SETFD, FD_CLOEXEC );
+}
+
 int
 lws_plat_socket_offset(void)
 {
@@ -954,7 +960,7 @@ lws_plat_write_file(const char *filename, void *buf, int len)
 LWS_VISIBLE int
 lws_plat_read_file(const char *filename, void *buf, int len)
 {
-	int n, fd = open(filename, O_RDONLY);
+	int n, fd = lws_open(filename, O_RDONLY);
 	if (fd == -1)
 		return -1;
 
diff --git a/lib/plat/lws-plat-win.c b/lib/plat/lws-plat-win.c
index ab9123deb..8ecf33687 100644
--- a/lib/plat/lws-plat-win.c
+++ b/lib/plat/lws-plat-win.c
@@ -3,6 +3,10 @@
 #endif
 #include "core/private.h"
 
+void lws_plat_apply_FD_CLOEXEC(int n)
+{
+}
+
 int
 lws_plat_socket_offset(void)
 {
@@ -800,7 +804,7 @@ lws_plat_write_file(const char *filename, void *buf, int len)
 {
 	int m, fd;
 
-	fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+	fd = lws_open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600);
 
 	if (fd == -1)
 		return -1;
@@ -814,7 +818,7 @@ lws_plat_write_file(const char *filename, void *buf, int len)
 LWS_VISIBLE int
 lws_plat_read_file(const char *filename, void *buf, int len)
 {
-	int n, fd = open(filename, O_RDONLY);
+	int n, fd = lws_open(filename, O_RDONLY);
 	if (fd == -1)
 		return -1;
 
diff --git a/lib/roles/cgi/cgi-server.c b/lib/roles/cgi/cgi-server.c
index 8ccf73955..5addfe7f9 100644
--- a/lib/roles/cgi/cgi-server.c
+++ b/lib/roles/cgi/cgi-server.c
@@ -402,8 +402,14 @@ lws_cgi(struct lws *wsi, const char * const *exec_array, int script_uri_path_len
 		lwsl_debug("%s: cgi %p spawned PID %d\n", __func__,
 			   cgi, cgi->pid);
 
-		for (n = 0; n < 3; n++)
+		/*
+		 *  close:                stdin:r, stdout:w, stderr:w
+		 * hide from other forks: stdin:w, stdout:r, stderr:r
+		 */
+		for (n = 0; n < 3; n++) {
+			lws_plat_apply_FD_CLOEXEC(cgi->pipe_fds[n][!!(n == 0)]);
 			close(cgi->pipe_fds[n][!(n == 0)]);
+		}
 
 		/* inform cgi owner of the child PID */
 		n = user_callback_handle_rxflow(wsi->protocol->callback, wsi,
diff --git a/lib/roles/http/server/lejp-conf.c b/lib/roles/http/server/lejp-conf.c
index e9ce854cf..f9ac68a54 100644
--- a/lib/roles/http/server/lejp-conf.c
+++ b/lib/roles/http/server/lejp-conf.c
@@ -779,7 +779,7 @@ lwsws_get_config(void *user, const char *f, const char * const *paths,
 	struct lejp_ctx ctx;
 	int n, m, fd;
 
-	fd = open(f, O_RDONLY);
+	fd = lws_open(f, O_RDONLY);
 	if (fd < 0) {
 		lwsl_err("Cannot open %s\n", f);
 		return 2;
diff --git a/lib/roles/http/server/server.c b/lib/roles/http/server/server.c
index 9356dbb05..f00504cc8 100644
--- a/lib/roles/http/server/server.c
+++ b/lib/roles/http/server/server.c
@@ -694,7 +694,7 @@ lws_find_string_in_file(const char *filename, const char *string, int stringlen)
 	char buf[128];
 	int fd, match = 0, pos = 0, n = 0, hit = 0;
 
-	fd = open(filename, O_RDONLY);
+	fd = lws_open(filename, O_RDONLY);
 	if (fd < 0) {
 		lwsl_err("can't open auth file: %s\n", filename);
 		return 0;