diff --git a/README.md b/README.md
index 0dc36fe..9401665 100644
--- a/README.md
+++ b/README.md
@@ -32,8 +32,7 @@ Navidrome indexes all digital music stored in your hard drive and makes it avail
 - Transcoding on the fly. Can be set per user/player. Opus encoding is supported
 
 
-**Shipped version:** 0.47.5~ynh3
-
+**Shipped version:** 0.48.0~ynh1
 
 **Demo:** https://demo.navidrome.org/app/#/login
 
diff --git a/README_fr.md b/README_fr.md
index c28d9a6..9b515ac 100644
--- a/README_fr.md
+++ b/README_fr.md
@@ -31,8 +31,7 @@ Navidrome indexe toute la musique numérique stockée sur votre disque dur et la
 - Compatible avec tous les clients subsonique/madsononique/aironique
 - Encodage à la volée. Peut être défini par utilisateur/lecteur. Le codage opus est pris en charge 
 
-**Version incluse :** 0.47.5~ynh3
-
+**Version incluse :** 0.48.0~ynh1
 
 **Démo :** https://demo.navidrome.org/app/#/login
 
diff --git a/conf/amd64.src b/conf/amd64.src
index 13dc6b2..87c2450 100644
--- a/conf/amd64.src
+++ b/conf/amd64.src
@@ -1,5 +1,5 @@
-SOURCE_URL=https://github.com/deluan/navidrome/releases/download/v0.47.5/navidrome_0.47.5_Linux_x86_64.tar.gz
-SOURCE_SUM=0244a3b659f9dc70dd21c4209c0f168f4d744579ce94eb059b6c1f5606efc2d7
+SOURCE_URL=https://github.com/deluan/navidrome/releases/download/v0.48.0/navidrome_0.48.0_Linux_x86_64.tar.gz
+SOURCE_SUM=e8d98fb6ce73ac0878ec404b430f2a5b1589515a569072089a4cf6b419bc5f90
 SOURCE_SUM_PRG=sha256sum
 SOURCE_FORMAT=tar.gz
 SOURCE_IN_SUBDIR=false
diff --git a/conf/arm64.src b/conf/arm64.src
index c0685e1..45607ef 100644
--- a/conf/arm64.src
+++ b/conf/arm64.src
@@ -1,5 +1,5 @@
-SOURCE_URL=https://github.com/deluan/navidrome/releases/download/v0.47.5/navidrome_0.47.5_Linux_arm64.tar.gz
-SOURCE_SUM=f95051895db329ae8fc1a9968ff8e61388aea288400faa1e1a79458b8ff4d473
+SOURCE_URL=https://github.com/deluan/navidrome/releases/download/v0.48.0/navidrome_0.48.0_Linux_arm64.tar.gz
+SOURCE_SUM=f2bbb57d453ce6b06b84bccf57189a6e3258d943d552dfcf58e32720fb4e90ea
 SOURCE_SUM_PRG=sha256sum
 SOURCE_FORMAT=tar.gz
 SOURCE_IN_SUBDIR=false
diff --git a/conf/armhf.src b/conf/armhf.src
index beca70a..dd41823 100644
--- a/conf/armhf.src
+++ b/conf/armhf.src
@@ -1,5 +1,5 @@
-SOURCE_URL=https://github.com/deluan/navidrome/releases/download/v0.47.5/navidrome_0.47.5_Linux_armv7.tar.gz
-SOURCE_SUM=81663cd2e7a571e9db798f45161bdde8c681fa60e0e30e454dcee403010d0632
+SOURCE_URL=https://github.com/deluan/navidrome/releases/download/v0.48.0/navidrome_0.48.0_Linux_armv7.tar.gz
+SOURCE_SUM=cf078d3e7064597a128e9d82ae92e3055844bbdd63d264603cd54d53414b9919
 SOURCE_SUM_PRG=sha256sum
 SOURCE_FORMAT=tar.gz
 SOURCE_IN_SUBDIR=false
diff --git a/conf/navidrome.toml b/conf/navidrome.toml
index ffa96a1..cf87b68 100644
--- a/conf/navidrome.toml
+++ b/conf/navidrome.toml
@@ -93,3 +93,6 @@ EnableUserEditing = "true"
 
 # Enable Navidrome to connect to any external service
 EnableExternalServices = "true"
+
+# Set the language by default
+DefaultLanguage="__LANGUAGE__"
diff --git a/conf/systemd.service b/conf/systemd.service
index 7075e05..2a18a96 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -14,10 +14,13 @@ KillMode=process
 Restart=on-failure
 ReadWritePaths=__CONFIG_PATH__
 
-# See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
 NoNewPrivileges=yes
 PrivateTmp=yes
-PrivateUsers=yes
+PrivateDevices=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes
@@ -26,11 +29,20 @@ ProtectSystem=full
 ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
-SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
 
-# You can comment the following line if you don't have any media in /home/*.
-# This will prevent navidrome from ever reading/writing anything there.
-#ProtectHome=true
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
 
 [Install]
 WantedBy=multi-user.target
diff --git a/doc/screenshots/ss-desktop-player.png b/doc/screenshots/ss-desktop-player.png
index b9ec428..0f94b4a 100644
Binary files a/doc/screenshots/ss-desktop-player.png and b/doc/screenshots/ss-desktop-player.png differ
diff --git a/manifest.json b/manifest.json
index eec483a..c12251a 100644
--- a/manifest.json
+++ b/manifest.json
@@ -6,7 +6,7 @@
         "en": "Modern Music Server and Streamer compatible with Subsonic/Airsonic",
         "fr": "Serveur de musique moderne et Streamer compatibles avec Subsonic/Airsonic"
     },
-    "version": "0.47.5~ynh3",
+    "version": "0.48.0~ynh1",
     "url": "https://www.navidrome.org",
     "upstream": {
         "license": "GPL-3.0-only",
@@ -47,6 +47,16 @@
                     "fr": "Vous devez activer site public si vous souhaitez connecter un lecteur client à Navidrome. Vous pourrez changer ceci plus tard via la webadmin."
                 },
                 "default": true
+            },
+                        {
+                "name": "language",
+                "type": "string",
+                "ask": {
+                    "en": "Choose the application language",
+                    "fr": "Choisissez la langue de l'application"
+                },
+                "choices": ["fr", "en"],
+                "default": "fr"
             }
         ]
     }
diff --git a/scripts/change_url b/scripts/change_url
index 2c083c3..f791588 100644
--- a/scripts/change_url
+++ b/scripts/change_url
@@ -29,6 +29,7 @@ ynh_script_progression --message="Loading installation settings..." --weight=1
 # Needed for helper "ynh_add_nginx_config"
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 port=$(ynh_app_setting_get --app=$app --key=port)
+language=$(ynh_app_setting_get --app=$app --key=language)
 
 enable_downloads=$(ynh_app_setting_get --app=$app --key=enable_downloads)
 scanner_extractor=$(ynh_app_setting_get --app=$app --key=scanner_extractor)
diff --git a/scripts/install b/scripts/install
index 166ebe9..e50eefd 100644
--- a/scripts/install
+++ b/scripts/install
@@ -26,6 +26,7 @@ ynh_abort_if_errors
 domain=$YNH_APP_ARG_DOMAIN
 path_url=$YNH_APP_ARG_PATH
 is_public=$YNH_APP_ARG_IS_PUBLIC
+language=$YNH_APP_ARG_LANGUAGE
 
 app=$YNH_APP_INSTANCE_NAME
 
@@ -53,6 +54,7 @@ ynh_script_progression --message="Storing installation settings..." --weight=2
 
 ynh_app_setting_set --app=$app --key=domain --value=$domain
 ynh_app_setting_set --app=$app --key=path --value=$path_url
+ynh_app_setting_set --app=$app --key=language --value=$language
 ynh_app_setting_set --app=$app --key=enable_downloads --value=$enable_downloads
 ynh_app_setting_set --app=$app --key=scanner_extractor --value=$scanner_extractor
 ynh_app_setting_set --app=$app --key=enable_animation --value=$enable_animation
@@ -121,6 +123,8 @@ ynh_multimedia_build_main_dir
 ynh_script_progression --message="Adding a configuration file..." --weight=1
 
 config_path="/var/lib/$app"
+ynh_app_setting_set --app=$app --key=config_path --value=$config_path
+
 mkdir -p "$config_path"
 
 # Main config File
diff --git a/scripts/upgrade b/scripts/upgrade
index 52776d0..24282f4 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -18,6 +18,7 @@ app=$YNH_APP_INSTANCE_NAME
 
 domain=$(ynh_app_setting_get --app=$app --key=domain)
 path_url=$(ynh_app_setting_get --app=$app --key=path)
+language=$(ynh_app_setting_get --app=$app --key=language)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 port=$(ynh_app_setting_get --app=$app --key=port)
 
@@ -69,6 +70,11 @@ if ynh_legacy_permissions_exists; then
 	ynh_app_setting_delete --app=$app --key=is_public
 fi
 
+if [ -z "$language" ]; then
+	language="en"
+	ynh_app_setting_set --app=$app --key=language --value=$language
+fi
+
 if [ -z "$enable_animation" ]; then
 	enable_animation="true"
 	ynh_app_setting_set --app=$app --key=enable_animation --value=$enable_animation
@@ -141,7 +147,7 @@ ynh_add_nginx_config
 #=================================================
 # ynh_script_progression --message="Updating a configuration file..."
 
-# config_path="/var/lib/$app"
+config_path="/var/lib/$app"
 
 # # Uncomment when there is new options added upstream
 # ynh_add_config --template="../conf/navidrome.toml" --destination="$config_path/navidrome.toml"