diff --git a/.golangci.yml b/.golangci.yml
index 4e3a4061..901a89b8 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -77,8 +77,12 @@ linters:
         - "1"
         - "2"
         - "3"
+        - "0666"
+        - "0700"
+        - "0700"
       ignored-functions:
         - strings.SplitN
+        - make
     nolintlint:
       allow-unused: false # report any unused nolint directives
       require-explanation: false # require an explanation for nolint directives
diff --git a/cmd/root.go b/cmd/root.go
index 572536d4..d9f37889 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -63,7 +63,7 @@ func addServerFlags(flags *pflag.FlagSet) {
 	flags.StringP("key", "k", "", "tls key")
 	flags.StringP("root", "r", ".", "root to prepend to relative paths")
 	flags.String("socket", "", "socket to listen to (cannot be used with address, port, cert nor key flags)")
-	flags.Uint32("socket-perm", 0666, "unix socket file permissions") //nolint:mnd
+	flags.Uint32("socket-perm", 0666, "unix socket file permissions")
 	flags.StringP("baseurl", "b", "", "base url")
 	flags.String("cache-dir", "", "file cache directory (disabled if empty)")
 	flags.String("token-expiration-time", "2h", "user session timeout")
@@ -131,7 +131,7 @@ user created with the credentials from options "username" and "password".`,
 		cacheDir, err := cmd.Flags().GetString("cache-dir")
 		checkErr(err)
 		if cacheDir != "" {
-			if err := os.MkdirAll(cacheDir, 0700); err != nil { //nolint:govet,mnd
+			if err := os.MkdirAll(cacheDir, 0700); err != nil { //nolint:govet
 				log.Fatalf("can't make directory %s: %s", cacheDir, err)
 			}
 			fileCache = diskcache.New(afero.NewOsFs(), cacheDir)
@@ -180,7 +180,10 @@ user created with the credentials from options "username" and "password".`,
 		defer listener.Close()
 
 		log.Println("Listening on", listener.Addr().String())
-		srv := &http.Server{Handler: handler}
+		srv := &http.Server{
+			Handler:           handler,
+			ReadHeaderTimeout: 60 * time.Second,
+		}
 
 		go func() {
 			if err := srv.Serve(listener); !errors.Is(err, http.ErrServerClosed) {
@@ -194,14 +197,13 @@ user created with the credentials from options "username" and "password".`,
 		signal.Notify(sigc, os.Interrupt, syscall.SIGTERM)
 		<-sigc
 
-		shutdownCtx, shutdownRelease := context.WithTimeout(context.Background(), 10*time.Second)
+		shutdownCtx, shutdownRelease := context.WithTimeout(context.Background(), 10*time.Second) //nolint:mnd
 		defer shutdownRelease()
 
 		if err := srv.Shutdown(shutdownCtx); err != nil {
 			log.Fatalf("HTTP shutdown error: %v", err)
 		}
 		log.Println("Graceful shutdown complete.")
-
 	}, pythonConfig{allowNoDB: true}),
 }
 
diff --git a/cmd/utils.go b/cmd/utils.go
index 605020c8..909a1558 100644
--- a/cmd/utils.go
+++ b/cmd/utils.go
@@ -73,7 +73,7 @@ func dbExists(path string) (bool, error) {
 		d := filepath.Dir(path)
 		_, err = os.Stat(d)
 		if os.IsNotExist(err) {
-			if err := os.MkdirAll(d, 0700); err != nil { //nolint:govet,mnd
+			if err := os.MkdirAll(d, 0700); err != nil { //nolint:govet
 				return false, err
 			}
 			return false, nil
diff --git a/diskcache/file_cache.go b/diskcache/file_cache.go
index 26d5e336..cd5e27c7 100644
--- a/diskcache/file_cache.go
+++ b/diskcache/file_cache.go
@@ -37,11 +37,11 @@ func (f *FileCache) Store(_ context.Context, key string, value []byte) error {
 	defer mu.Unlock()
 
 	fileName := f.getFileName(key)
-	if err := f.fs.MkdirAll(filepath.Dir(fileName), 0700); err != nil { //nolint:mnd
+	if err := f.fs.MkdirAll(filepath.Dir(fileName), 0700); err != nil {
 		return err
 	}
 
-	if err := afero.WriteFile(f.fs, fileName, value, 0700); err != nil { //nolint:mnd
+	if err := afero.WriteFile(f.fs, fileName, value, 0700); err != nil {
 		return err
 	}
 
diff --git a/files/file.go b/files/file.go
index 9f108d11..d3513efb 100644
--- a/files/file.go
+++ b/files/file.go
@@ -313,7 +313,7 @@ func (i *FileInfo) readFirstBytes() []byte {
 	}
 	defer reader.Close()
 
-	buffer := make([]byte, 512) //nolint:mnd
+	buffer := make([]byte, 512)
 	n, err := reader.Read(buffer)
 	if err != nil && !errors.Is(err, io.EOF) {
 		log.Print(err)
diff --git a/http/share.go b/http/share.go
index 360d812c..e1036d2a 100644
--- a/http/share.go
+++ b/http/share.go
@@ -91,7 +91,7 @@ var sharePostHandler = withPermShare(func(w http.ResponseWriter, r *http.Request
 		defer r.Body.Close()
 	}
 
-	bytes := make([]byte, 6) //nolint:mnd
+	bytes := make([]byte, 6)
 	_, err := rand.Read(bytes)
 	if err != nil {
 		return http.StatusInternalServerError, err
@@ -130,7 +130,7 @@ var sharePostHandler = withPermShare(func(w http.ResponseWriter, r *http.Request
 
 	var token string
 	if len(hash) > 0 {
-		tokenBuffer := make([]byte, 96) //nolint:mnd
+		tokenBuffer := make([]byte, 96)
 		if _, err := rand.Read(tokenBuffer); err != nil {
 			return http.StatusInternalServerError, err
 		}
diff --git a/img/service.go b/img/service.go
index c949a911..2791c387 100644
--- a/img/service.go
+++ b/img/service.go
@@ -207,7 +207,7 @@ func getEmbeddedThumbnail(in io.Reader) ([]byte, io.Reader, error) {
 
 	offset := 0
 	offsets := []int{12, 30}
-	head := make([]byte, 0xffff) //nolint:mnd
+	head := make([]byte, 0xffff)
 
 	_, err := r.Read(head)
 	if err != nil {
diff --git a/settings/settings.go b/settings/settings.go
index b12ae826..86518a3a 100644
--- a/settings/settings.go
+++ b/settings/settings.go
@@ -72,7 +72,7 @@ func (s *Server) GetTokenExpirationTime(fallback time.Duration) time.Duration {
 
 // GenerateKey generates a key of 512 bits.
 func GenerateKey() ([]byte, error) {
-	b := make([]byte, 64) //nolint:mnd
+	b := make([]byte, 64)
 	_, err := rand.Read(b)
 	// Note that err == nil only if we read len(b) bytes.
 	if err != nil {