diff --git a/src/routes/test/server-test.js b/src/routes/test/server-test.js
new file mode 100644
index 000000000..297dc3073
--- /dev/null
+++ b/src/routes/test/server-test.js
@@ -0,0 +1,88 @@
+/* jslint node:true */
+/* global it:false */
+/* global describe:false */
+/* global before:false */
+/* global after:false */
+
+'use strict';
+
+var async = require('async'),
+    config = require('../../config.js'),
+    database = require('../../database.js'),
+    expect = require('expect.js'),
+    net = require('net'),
+    nock = require('nock'),
+    superagent = require('superagent'),
+    server = require('../../server.js');
+
+var SERVER_URL = 'http://localhost:' + config.get('port');
+
+var USERNAME = 'superadmin', PASSWORD = 'Foobar?1337', EMAIL ='silly@me.com';
+var token = null;
+
+var server;
+function setup(done) {
+    config.setVersion('1.2.3');
+
+    async.series([
+        server.start.bind(server),
+
+        database._clear,
+
+        function createAdmin(callback) {
+            var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
+            var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});
+
+            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+                   .query({ setupToken: 'somesetuptoken' })
+                   .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
+                   .end(function (error, result) {
+                expect(result).to.be.ok();
+                expect(result.statusCode).to.eql(201);
+                expect(scope1.isDone()).to.be.ok();
+                expect(scope2.isDone()).to.be.ok();
+
+                // stash token for further use
+                token = result.body.token;
+
+                callback();
+            });
+        }
+    ], done);
+}
+
+function cleanup(done) {
+    database._clear(function (error) {
+        expect(!error).to.be.ok();
+
+        server.stop(done);
+    });
+}
+
+describe('REST API', function () {
+    before(setup);
+    after(cleanup);
+
+    it('does not crash with invalid JSON', function (done) {
+        superagent.post(SERVER_URL + '/api/v1/users')
+            .query({ access_token: token })
+            .set('content-type', 'application/json')
+            .send("some invalid non-strict json")
+           .end(function (error, result) {
+            expect(result.statusCode).to.equal(400);
+            expect(result.body.message).to.be('Bad JSON');
+            done();
+        });
+    });
+
+    it('does not crash with invalid string', function (done) {
+        superagent.post(SERVER_URL + '/api/v1/users')
+            .query({ access_token: token })
+            .set('content-type', 'application/x-www-form-urlencoded')
+            .send("some string")
+           .end(function (error, result) {
+            expect(result.statusCode).to.equal(400);
+            done();
+        });
+    });
+});
diff --git a/src/server.js b/src/server.js
index 1a67dfad6..b44c93edc 100644
--- a/src/server.js
+++ b/src/server.js
@@ -195,7 +195,8 @@ function initializeExpressSync() {
     router.post('/api/v1/backups', settingsScope, routes.user.requireAdmin, routes.backups.create);
     router.get ('/api/v1/backups/:backupId', appsScope, routes.user.requireAdmin, routes.backups.download);
 
-    // disable server timeout. we use the timeout middleware to handle timeouts on a route level
+    // disable server socket "idle" timeout. we use the timeout middleware to handle timeouts on a route level
+    // we rely on nginx for timeouts on the TCP level
     httpServer.setTimeout(0);
 
     // upgrade handler