From 2a3cd08f201d30385f3e2b76b6b11d5f5e1d70b2 Mon Sep 17 00:00:00 2001
From: Deluan <deluan@navidrome.org>
Date: Mon, 26 Sep 2022 22:33:42 -0400
Subject: [PATCH] Fix GO-S2114 security issue

See https://deepsource.io/directory/analyzers/go/issues/GO-S2114
---
 consts/consts.go | 2 ++
 server/server.go | 7 ++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/consts/consts.go b/consts/consts.go
index 63cf3e09..2942de27 100644
--- a/consts/consts.go
+++ b/consts/consts.go
@@ -41,6 +41,8 @@ const (
 	RequestThrottleBacklogLimit   = 100
 	RequestThrottleBacklogTimeout = time.Minute
 
+	ServerReadHeaderTimeout = 3 * time.Second
+
 	ArtistInfoTimeToLive = 24 * time.Hour
 
 	I18nFolder   = "i18n"
diff --git a/server/server.go b/server/server.go
index d59f5102..7a7f8d47 100644
--- a/server/server.go
+++ b/server/server.go
@@ -45,7 +45,12 @@ var startTime = time.Now()
 func (s *Server) Run(addr string) error {
 	s.MountRouter("WebUI", consts.URLPathUI, s.frontendAssetsHandler())
 	log.Info("Navidrome server is ready!", "address", addr, "startupTime", time.Since(startTime))
-	return http.ListenAndServe(addr, s.router)
+	server := &http.Server{
+		Addr:              addr,
+		ReadHeaderTimeout: consts.ServerReadHeaderTimeout,
+	}
+
+	return server.ListenAndServe()
 }
 
 func (s *Server) initRoutes() {