diff --git a/config.go b/config.go
index 844e56158..93e301adc 100644
--- a/config.go
+++ b/config.go
@@ -226,6 +226,9 @@ const (
 	// client should wait before sending a keepalive ping.
 	defaultGrpcClientPingMinWait = 5 * time.Second
 
+	// defaultHTTPHeaderTimeout is the default timeout for HTTP requests.
+	defaultHTTPHeaderTimeout = 5 * time.Second
+
 	// BitcoinChainName is a string that represents the Bitcoin blockchain.
 	BitcoinChainName = "bitcoin"
 
@@ -492,6 +495,10 @@ type Config struct {
 	// Dev specifies configs used for integration tests, which is always
 	// empty if not built with `integration` flag.
 	Dev *lncfg.DevConfig `group:"dev" namespace:"dev"`
+
+	// HTTPHeaderTimeout is the maximum duration that the server will wait
+	// before timing out reading the headers of an HTTP request.
+	HTTPHeaderTimeout time.Duration `long:"http-header-timeout" description:"The maximum duration that the server will wait before timing out reading the headers of an HTTP request."`
 }
 
 // GRPCConfig holds the configuration options for the gRPC server.
@@ -694,7 +701,8 @@ func DefaultConfig() Config {
 			ServerPingTimeout: defaultGrpcServerPingTimeout,
 			ClientPingMinWait: defaultGrpcClientPingMinWait,
 		},
-		WtClient: lncfg.DefaultWtClientCfg(),
+		WtClient:          lncfg.DefaultWtClientCfg(),
+		HTTPHeaderTimeout: defaultHTTPHeaderTimeout,
 	}
 }
 
diff --git a/lnd.go b/lnd.go
index c8048dce6..5412360e0 100644
--- a/lnd.go
+++ b/lnd.go
@@ -214,7 +214,7 @@ func Main(cfg *Config, lisCfg ListenerCfg, implCfg *ImplementationCfg,
 		pprofServer := &http.Server{
 			Addr:              cfg.Profile,
 			Handler:           pprofMux,
-			ReadHeaderTimeout: 5 * time.Second,
+			ReadHeaderTimeout: cfg.HTTPHeaderTimeout,
 		}
 
 		// Shut the server down when lnd is shutting down.
@@ -271,6 +271,8 @@ func Main(cfg *Config, lisCfg ListenerCfg, implCfg *ImplementationCfg,
 		LetsEncryptListen: cfg.LetsEncryptListen,
 
 		DisableRestTLS: cfg.DisableRestTLS,
+
+		HTTPHeaderTimeout: cfg.HTTPHeaderTimeout,
 	}
 	tlsManager := NewTLSManager(tlsManagerCfg)
 	serverOpts, restDialOpts, restListen, cleanUp,
diff --git a/tls_manager.go b/tls_manager.go
index 577d2fc6d..232c33060 100644
--- a/tls_manager.go
+++ b/tls_manager.go
@@ -39,9 +39,6 @@ var (
 	// - `-----BEGIN PRIVATE KEY-----`    (PKCS8).
 	// - `-----BEGIN EC PRIVATE KEY-----` (SEC1/rfc5915, the legacy format).
 	privateKeyPrefix = []byte("-----BEGIN ")
-
-	// letsEncryptTimeout sets a timeout for the Lets Encrypt server.
-	letsEncryptTimeout = 5 * time.Second
 )
 
 // TLSManagerCfg houses a set of values and methods that is passed to the
@@ -61,6 +58,8 @@ type TLSManagerCfg struct {
 	LetsEncryptListen string
 
 	DisableRestTLS bool
+
+	HTTPHeaderTimeout time.Duration
 }
 
 // TLSManager generates/renews a TLS cert/key pair when needed. When required,
@@ -424,7 +423,7 @@ func (t *TLSManager) setUpLetsEncrypt(certData *tls.Certificate,
 	srv := &http.Server{
 		Addr:              t.cfg.LetsEncryptListen,
 		Handler:           manager.HTTPHandler(nil),
-		ReadHeaderTimeout: letsEncryptTimeout,
+		ReadHeaderTimeout: t.cfg.HTTPHeaderTimeout,
 	}
 	shutdownCompleted := make(chan struct{})
 	cleanUp = func() {