diff --git a/.golangci.yml b/.golangci.yml
index 20f0472f0..a7b99f7d0 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -59,7 +59,7 @@ linters-settings:
     check-shadowing: false
   golint:
     # minimal confidence for issues, default is 0.8
-    min-confidence: 0.0
+    min-confidence: 0.8
   gofmt:
     # simplify code: gofmt with `-s` option, true by default
     simplify: true
@@ -161,6 +161,29 @@ issues:
   # it can be disabled by `exclude-use-default: false`. To list all
   # excluded by default patterns execute `golangci-lint run --help`
   exclude:
+    ## Defaults we want from golangci-lint
+    # errcheck: Almost all programs ignore errors on these functions and in most cases it's ok
+    - Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked
+    # golint: False positive when tests are defined in package 'test'
+    - func name will be used as test\.Test.* by other packages, and that stutters; consider calling this
+    # govet: Common false positives
+    - (possible misuse of unsafe.Pointer|should have signature)
+    # staticcheck: Developers tend to write in C-style with an explicit 'break' in a 'switch', so it's ok to ignore
+    - ineffective break statement. Did you mean to break out of the outer loop
+    # gosec: Too many false-positives on 'unsafe' usage
+    - Use of unsafe calls should be audited
+    # gosec: Too many false-positives for parametrized shell calls
+    - Subprocess launch(ed with variable|ing should be audited)
+    # gosec: Duplicated errcheck checks
+    - G104
+    # gosec: Too many issues in popular repos
+    - (Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)
+    # gosec: False positive is triggered by 'src, err := ioutil.ReadFile(filename)'
+    - Potential file inclusion via variable
+
+    ##
+    ## Custom
+    ##
     # Mostly harmless buffer writes where we skip error checking
     # https://golang.org/pkg/bytes/#Buffer.Write
     - "Error return value of `w.Write` is not checked"
@@ -201,7 +224,7 @@ issues:
   # it can be disabled by this option. To list all
   # excluded by default patterns execute `golangci-lint run --help`.
   # Default value for this option is true.
-  exclude-use-default: true
+  exclude-use-default: false
 
   # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
   max-per-linter: 0
diff --git a/authenticate/authenticate.go b/authenticate/authenticate.go
index b7bb9f451..a6e63a1b9 100644
--- a/authenticate/authenticate.go
+++ b/authenticate/authenticate.go
@@ -1,3 +1,5 @@
+// Package authenticate is a pomerium service that handles user authentication
+// and refersh (AuthN).
 package authenticate // import "github.com/pomerium/pomerium/authenticate"
 
 import (
diff --git a/authorize/authorize.go b/authorize/authorize.go
index 16d0ea6f8..cd3ce3076 100644
--- a/authorize/authorize.go
+++ b/authorize/authorize.go
@@ -1,3 +1,5 @@
+// Package authorize is a pomerium service that is responsible for determining
+// if a given request should be authorized (AuthZ).
 package authorize // import "github.com/pomerium/pomerium/authorize"
 
 import (
diff --git a/cache/cache.go b/cache/cache.go
index 5d14a219a..fceaebf6e 100644
--- a/cache/cache.go
+++ b/cache/cache.go
@@ -1,3 +1,6 @@
+// Package cache is a pomerium service that handles the storage of user
+// session state. It communicates over RPC with other pomerium services,
+// and can be configured to use a number of different backend cache stores.
 package cache // import "github.com/pomerium/pomerium/cache"
 
 import (
diff --git a/config/doc.go b/config/doc.go
new file mode 100644
index 000000000..8c8e31c7b
--- /dev/null
+++ b/config/doc.go
@@ -0,0 +1,3 @@
+// Package config is a configuration abstraction that facilitates enabling
+// Pomerium settings  forvarious encoding types (JSON/YAML/ENVARS) and methods.
+package config // import "github.com/pomerium/pomerium/config"
diff --git a/config/options.go b/config/options.go
index 8dbf5372c..3982cb88c 100644
--- a/config/options.go
+++ b/config/options.go
@@ -517,6 +517,9 @@ func (o *Options) Checksum() string {
 	return fmt.Sprintf("%x", hash)
 }
 
+// HandleConfigUpdate takes configuration file, an existing options struct, and
+// updates each service in the services slice OptionsUpdater with a new set of
+// options if any change is detected.
 func HandleConfigUpdate(configFile string, opt *Options, services []OptionsUpdater) *Options {
 	newOpt, err := NewOptionsFromConfig(configFile)
 	if err != nil {
diff --git a/internal/cryptutil/certificates.go b/internal/cryptutil/certificates.go
index d91973fbc..c0cd5dccb 100644
--- a/internal/cryptutil/certificates.go
+++ b/internal/cryptutil/certificates.go
@@ -11,6 +11,7 @@ import (
 	"io/ioutil"
 )
 
+// CertifcateFromBase64 returns an X509 pair from a base64 encoded blob.
 func CertifcateFromBase64(cert, key string) (*tls.Certificate, error) {
 	decodedCert, err := base64.StdEncoding.DecodeString(cert)
 	if err != nil {
@@ -24,11 +25,15 @@ func CertifcateFromBase64(cert, key string) (*tls.Certificate, error) {
 	return &x509, err
 }
 
+// CertificateFromFile given a certificate, and key file path, returns a X509
+// keypair.
 func CertificateFromFile(certFile, keyFile string) (*tls.Certificate, error) {
 	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
 	return &cert, err
 }
 
+// CertPoolFromBase64 takes a base64 encoded string and returns a new
+// X509 certificate pool.
 func CertPoolFromBase64(encPemCerts string) (*x509.CertPool, error) {
 	b, err := base64.StdEncoding.DecodeString(encPemCerts)
 	if err != nil {
@@ -37,6 +42,7 @@ func CertPoolFromBase64(encPemCerts string) (*x509.CertPool, error) {
 	return bytesToCertPool(b)
 }
 
+// CertPoolFromFile reads a file and returns an X509 certificate pool.
 func CertPoolFromFile(pemFile string) (*x509.CertPool, error) {
 	b, err := ioutil.ReadFile(pemFile)
 	if err != nil {
diff --git a/internal/cryptutil/doc.go b/internal/cryptutil/doc.go
new file mode 100644
index 000000000..8665c554c
--- /dev/null
+++ b/internal/cryptutil/doc.go
@@ -0,0 +1,3 @@
+// Package cryptutil provides cryptographic utility functions, complementing the
+// lower level abstractions found in the standard library.
+package cryptutil // import "github.com/pomerium/pomerium/internal/cryptutil"
diff --git a/internal/encoding/econding.go b/internal/encoding/econding.go
index 10d8089b9..f5b98d191 100644
--- a/internal/encoding/econding.go
+++ b/internal/encoding/econding.go
@@ -1,3 +1,5 @@
+// Package encoding defines interfaces shared by other packages that
+// convert data to and from byte-level and textual representations.
 package encoding // import "github.com/pomerium/pomerium/internal/encoding"
 
 // MarshalUnmarshaler can both Marshal and Unmarshal a struct into and from a set of bytes.
diff --git a/internal/encoding/mock/mock_encoder.go b/internal/encoding/mock/mock_encoder.go
index f757fc521..9e07dc4cf 100644
--- a/internal/encoding/mock/mock_encoder.go
+++ b/internal/encoding/mock/mock_encoder.go
@@ -1,3 +1,4 @@
+// Package mock implements a mock implementation of MarshalUnmarshaler.
 package mock // import "github.com/pomerium/pomerium/internal/encoding/mock"
 
 import (
diff --git a/internal/fileutil/fileutil.go b/internal/fileutil/fileutil.go
index a7b0bba7e..4c172668d 100644
--- a/internal/fileutil/fileutil.go
+++ b/internal/fileutil/fileutil.go
@@ -1,3 +1,5 @@
+// Package fileutil provides file utility functions, complementing the
+// lower level abstractions found in the standard library.
 package fileutil // import "github.com/pomerium/pomerium/internal/fileutil"
 
 import (
diff --git a/internal/frontend/templates.go b/internal/frontend/templates.go
index 8be57731d..6612b5dc3 100644
--- a/internal/frontend/templates.go
+++ b/internal/frontend/templates.go
@@ -1,5 +1,7 @@
 //go:generate statik -src=./assets -include=*.svg,*.html,*.css,*.js
 
+// Package frontend handles the generation, and instantiation of Pomerium's
+// html templates.
 package frontend // import "github.com/pomerium/pomerium/internal/frontend"
 
 import (
diff --git a/internal/grpc/authorize/client/authorize_client.go b/internal/grpc/authorize/client/authorize_client.go
index b6ee82096..4a4b73c04 100644
--- a/internal/grpc/authorize/client/authorize_client.go
+++ b/internal/grpc/authorize/client/authorize_client.go
@@ -1,3 +1,4 @@
+// Package client implements a gRPC client for the authorization service.
 package client
 
 import (
diff --git a/internal/grpc/cache/client/cache_client.go b/internal/grpc/cache/client/cache_client.go
index 41c636afb..983c6ee34 100644
--- a/internal/grpc/cache/client/cache_client.go
+++ b/internal/grpc/cache/client/cache_client.go
@@ -1,3 +1,4 @@
+// Package client implements a gRPC client for the cache service.
 package client
 
 import (
diff --git a/internal/grpc/docs.go b/internal/grpc/docs.go
new file mode 100644
index 000000000..a5bf444f5
--- /dev/null
+++ b/internal/grpc/docs.go
@@ -0,0 +1,3 @@
+// Package grpc provides gRPC utility functions, complementing the more
+// common ones in the github.com/grpc/grpc-go package
+package grpc // import "github.com/pomerium/pomerium/internal/grpc"
diff --git a/internal/grpcutil/doc.go b/internal/grpcutil/doc.go
new file mode 100644
index 000000000..1fd2a523a
--- /dev/null
+++ b/internal/grpcutil/doc.go
@@ -0,0 +1,2 @@
+// Package grpcutil contains utility functions for working with gRPC.
+package grpcutil // import "github.com/pomerium/pomerium/internal/grpcutil"
diff --git a/internal/httputil/docs.go b/internal/httputil/docs.go
new file mode 100644
index 000000000..f5f80d38d
--- /dev/null
+++ b/internal/httputil/docs.go
@@ -0,0 +1,3 @@
+// Package httputil provides HTTP utility functions, complementing the more
+// common ones in the net/http package
+package httputil // import "github.com/pomerium/pomerium/internal/httputil"
diff --git a/internal/kv/autocache/autocache.go b/internal/kv/autocache/autocache.go
index 919a5a9f2..b147b2c93 100644
--- a/internal/kv/autocache/autocache.go
+++ b/internal/kv/autocache/autocache.go
@@ -1,3 +1,6 @@
+// Package autocache implements a key value store (kv.Store) using autocache
+// which combines functionality from groupcache, and memberlist libraries.
+// For more details, see https://github.com/pomerium/autocache
 package autocache
 
 import (
diff --git a/internal/kv/bolt/bolt.go b/internal/kv/bolt/bolt.go
index d680af811..7a9a1f1a6 100644
--- a/internal/kv/bolt/bolt.go
+++ b/internal/kv/bolt/bolt.go
@@ -1,3 +1,5 @@
+// Package bolt implements a key value store (kv.Store) using bbolt.
+// For more details, see https://github.com/etcd-io/bbolt
 package bolt
 
 import (
diff --git a/internal/kv/redis/redis.go b/internal/kv/redis/redis.go
index 45aa11c42..c852f628a 100644
--- a/internal/kv/redis/redis.go
+++ b/internal/kv/redis/redis.go
@@ -1,3 +1,5 @@
+// Package redis implements a key value store (kv.Store) using redis.
+// For more details, see https://redis.io/
 package redis
 
 import (
diff --git a/internal/kv/store.go b/internal/kv/store.go
index 4f22942ee..fb236d58e 100644
--- a/internal/kv/store.go
+++ b/internal/kv/store.go
@@ -1,3 +1,5 @@
+// Package kv defines a Store interfaces that can be implemented by
+// datastores to provide key value storage capabilities.
 package kv
 
 import "context"
diff --git a/internal/middleware/responsewriter/wrap_writer.go b/internal/middleware/responsewriter/wrap_writer.go
index 00432c240..0309a3473 100644
--- a/internal/middleware/responsewriter/wrap_writer.go
+++ b/internal/middleware/responsewriter/wrap_writer.go
@@ -1,3 +1,5 @@
+// Package responsewriter contains helper functions that useful for
+// hooking into various parts of a response.
 package responsewriter
 
 // The original work was derived from Goji's middleware, source:
diff --git a/internal/sessions/cache/cache_store.go b/internal/sessions/cache/cache_store.go
index 31ab91e79..b0eabe6d8 100644
--- a/internal/sessions/cache/cache_store.go
+++ b/internal/sessions/cache/cache_store.go
@@ -1,3 +1,5 @@
+// Package cache provides a remote cache based implementation of session store
+// and loader. See pomerium's cache service for more details.
 package cache // import "github.com/pomerium/pomerium/internal/sessions/cache"
 
 import (
diff --git a/internal/sessions/cookie/cookie_store.go b/internal/sessions/cookie/cookie_store.go
index bf3d87769..57cd177b4 100644
--- a/internal/sessions/cookie/cookie_store.go
+++ b/internal/sessions/cookie/cookie_store.go
@@ -1,3 +1,4 @@
+// Package cookie provides a cookie based implementation of session store and loader.
 package cookie // import "github.com/pomerium/pomerium/internal/sessions/cookie"
 
 import (
diff --git a/internal/sessions/header/header_store.go b/internal/sessions/header/header_store.go
index 132cfdfd7..55b9d52fd 100644
--- a/internal/sessions/header/header_store.go
+++ b/internal/sessions/header/header_store.go
@@ -1,3 +1,5 @@
+// Package header provides a request header based implementation of a
+// session loader.
 package header // import "github.com/pomerium/pomerium/internal/sessions/header"
 
 import (
diff --git a/internal/sessions/mock/mock_store.go b/internal/sessions/mock/mock_store.go
index c787109a8..efc891832 100644
--- a/internal/sessions/mock/mock_store.go
+++ b/internal/sessions/mock/mock_store.go
@@ -1,3 +1,4 @@
+// Package mock provides a mock implementation of session store and loader.
 package mock // import "github.com/pomerium/pomerium/internal/sessions/mock"
 
 import (
diff --git a/internal/sessions/queryparam/query_store.go b/internal/sessions/queryparam/query_store.go
index 3ce7c25b9..d9eac72bc 100644
--- a/internal/sessions/queryparam/query_store.go
+++ b/internal/sessions/queryparam/query_store.go
@@ -1,3 +1,5 @@
+// Package queryparam provides a query param based implementation of a both
+// as session store and loader.
 package queryparam // import "github.com/pomerium/pomerium/internal/sessions/queryparam"
 
 import (
diff --git a/internal/sessions/store.go b/internal/sessions/store.go
index 66df7452b..792b73500 100644
--- a/internal/sessions/store.go
+++ b/internal/sessions/store.go
@@ -1,3 +1,5 @@
+// Package sessions handles the storage, management, and validation
+// of pomerium user sessions.
 package sessions // import "github.com/pomerium/pomerium/internal/sessions"
 
 import (
diff --git a/internal/telemetry/metrics/doc.go b/internal/telemetry/metrics/doc.go
new file mode 100644
index 000000000..db718e836
--- /dev/null
+++ b/internal/telemetry/metrics/doc.go
@@ -0,0 +1,2 @@
+// Package metrics contains support for OpenCensus distributed metrics.
+package metrics // import "github.com/pomerium/pomerium/internal/telemetry/metrics"
diff --git a/internal/telemetry/metrics/info.go b/internal/telemetry/metrics/info.go
index 6fcc99d1a..3100a4513 100644
--- a/internal/telemetry/metrics/info.go
+++ b/internal/telemetry/metrics/info.go
@@ -154,7 +154,7 @@ func SetBuildInfo(service string) {
 	registry.setBuildInfo(service)
 }
 
-// Register non-view based metrics registry globally for export
+// RegisterInfoMetrics registers non-view based metrics registry globally for export
 func RegisterInfoMetrics() {
 	metricproducer.GlobalManager().AddProducer(registry.registry)
 }
diff --git a/internal/telemetry/trace/doc.go b/internal/telemetry/trace/doc.go
new file mode 100644
index 000000000..026294e6d
--- /dev/null
+++ b/internal/telemetry/trace/doc.go
@@ -0,0 +1,2 @@
+// Package trace contains support for OpenCensus distributed tracing.
+package trace // import "github.com/pomerium/pomerium/internal/telemetry/trace"
diff --git a/internal/telemetry/trace/trace.go b/internal/telemetry/trace/trace.go
index d52a5fa79..ab7258c91 100644
--- a/internal/telemetry/trace/trace.go
+++ b/internal/telemetry/trace/trace.go
@@ -11,6 +11,7 @@ import (
 )
 
 const (
+	// JaegerTracingProviderName is the name of the tracing provider Jaeger.
 	JaegerTracingProviderName = "jaeger"
 )
 
@@ -31,6 +32,7 @@ type TracingOptions struct {
 	JaegerAgentEndpoint string `mapstructure:"tracing_jaeger_agent_endpoint"`
 }
 
+// RegisterTracing creates a new trace exporter from TracingOptions.
 func RegisterTracing(opts *TracingOptions) error {
 	var err error
 	switch opts.Provider {
diff --git a/internal/tripper/roundtripper.go b/internal/tripper/roundtripper.go
index dbeb945db..755156828 100644
--- a/internal/tripper/roundtripper.go
+++ b/internal/tripper/roundtripper.go
@@ -1,3 +1,5 @@
+// Package tripper provides utility functions for working with the
+// http.RoundTripper interface.
 package tripper // import "github.com/pomerium/pomerium/internal/tripper"
 
 import (
diff --git a/internal/urlutil/url.go b/internal/urlutil/url.go
index f8ed0dd4d..fe258ad07 100644
--- a/internal/urlutil/url.go
+++ b/internal/urlutil/url.go
@@ -1,3 +1,4 @@
+// Package urlutil provides utility functions for working with go urls.
 package urlutil // import "github.com/pomerium/pomerium/internal/urlutil"
 
 import (
@@ -60,6 +61,7 @@ func ValidateURL(u *url.URL) error {
 	return nil
 }
 
+// DeepCopy creates a deep copy of a *url.URL
 func DeepCopy(u *url.URL) (*url.URL, error) {
 	if u == nil {
 		return nil, nil
diff --git a/internal/version/version.go b/internal/version/version.go
index 2fefb54b2..7072b7757 100644
--- a/internal/version/version.go
+++ b/internal/version/version.go
@@ -1,3 +1,4 @@
+// Package version enables setting build-time version using ldflags.
 package version // import "github.com/pomerium/pomerium/internal/version"
 
 import (
diff --git a/proxy/proxy.go b/proxy/proxy.go
index 5d2878832..d203607e0 100755
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@@ -1,3 +1,7 @@
+// Package proxy is a pomerium service that provides reverse proxying of
+// internal routes. The proxy packages interoperates with other pomerium
+// services over RPC in order to make access control decisions about a
+// given incoming request.
 package proxy // import "github.com/pomerium/pomerium/proxy"
 
 import (