diff --git a/README.md b/README.md
index 95e45c5..fcb2540 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,8 @@
 # L402 Core
 [![Release Version](https://img.shields.io/github/release/gofeuer/l402.svg)](https://github.com/gofeuer/l402/releases)
+![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/gofeuer/l402)
+![macaroon.v2](https://img.shields.io/badge/dependency_count-1-blue)
+![GitHub Actions Workflow Status](https://img.shields.io/github/actions/workflow/status/gofeuer/l402/golangci-lint.yml)
 [![Go Report Card](https://goreportcard.com/badge/github.com/gofeuer/l402)](https://goreportcard.com/report/github.com/gofeuer/l402)
 ![Lightning Network](https://img.shields.io/badge/bitcoin-lightning_network-792EE5)
 [![Donate Bitcoin on chain](https://img.shields.io/badge/donate-bitcoin-F7931A?logo=bitcoin)](https://www.bitcoinqrcodemaker.com/pay/?type=1&style=bitcoin&address=bc1qanlngx9pfm2pkszm7lx88wp2qa6eh9juuskpl0e5a00edslhe89qtdejr0)
diff --git a/macaroon.go b/macaroon.go
index 5841eb5..35ca393 100644
--- a/macaroon.go
+++ b/macaroon.go
@@ -51,6 +51,8 @@ func UnmarshalMacaroons(macaroonsBase64 string) (map[Identifier]macaroon.Macaroo
 		return nil, err
 	}
 
+	// A base64.CorruptInputError means that macaroonsBase64 likely contains commas
+	// So we try unmarshal macaroonsBase64 again expecting it to have multiple macaroons
 	macaroons := make(map[Identifier]macaroon.Macaroon)
 	for i, macaroonBase64 := range strings.Split(macaroonsBase64, ",") {
 		identifier, macaroon, err := UnmarshalMacaroon(macaroonBase64)
diff --git a/middleware.go b/middleware.go
index 330a2c7..9c96705 100644
--- a/middleware.go
+++ b/middleware.go
@@ -58,7 +58,7 @@ func (p proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 const (
 	hexBlockSize    = BlockSize * 2
-	expectedMatches = 3 // header value, macaroonBase64, preimageHex
+	expectedMatches = 3 // authorizationMatcher matches: the header, macaroonBase64 and preimageHex
 )
 
 var authorizationMatcher = regexp.MustCompile(fmt.Sprintf("L402 (.*?):([a-f0-9]{%d})", hexBlockSize))
@@ -74,6 +74,7 @@ func getL402AuthorizationHeader(r *http.Request) (string, string, bool) {
 
 func validatePreimage(macaroons map[Identifier]macaroon.Macaroon, preimageHex string) bool {
 	var preimageHash Hash
+	// preimageHex is guaranteed by authorizationMatcher to be [a-f0-9]{sha256.Size * 2}
 	hex.Decode(preimageHash[:], []byte(preimageHex)) //nolint:errcheck
 	preimageHash = sha256.Sum256(preimageHash[:])