diff --git a/internal/api/middleware.go b/internal/api/middleware.go
index dec75a1..3d153b3 100644
--- a/internal/api/middleware.go
+++ b/internal/api/middleware.go
@@ -67,8 +67,6 @@ func RateLimit(next http.Handler) http.Handler {
 		ip := getClientIP(r)
 
 		rateLimiter.mu.Lock()
-		defer rateLimiter.mu.Unlock()
-
 		now := timeNow()
 		oneHourAgo := now.Add(-1 * time.Hour)
 
@@ -86,6 +84,7 @@ func RateLimit(next http.Handler) http.Handler {
 		// Check if rate limit exceeded
 		// Trace: SDD_LLD_0011 - Restrict to 10 calls per hour per IP
 		if len(recentRequests) >= 10 {
+			rateLimiter.mu.Unlock()
 			// Trace: SRD_UseCase_0005, SRD_UseCase_0006 - Rate limit error handling
 			// Trace: SRD_QualAssurReq_0006 - Return error when rate limit reached
 			w.Header().Set("Content-Type", "application/json")
@@ -97,6 +96,7 @@ func RateLimit(next http.Handler) http.Handler {
 		// Add current request to history
 		recentRequests = append(recentRequests, now)
 		rateLimiter.timestamps[ip] = recentRequests
+		rateLimiter.mu.Unlock()
 
 		// Allow request to proceed
 		next.ServeHTTP(w, r)