diff --git a/configfileparser.cpp b/configfileparser.cpp
index 3e72711..50cad2f 100644
--- a/configfileparser.cpp
+++ b/configfileparser.cpp
@@ -22,6 +22,7 @@ License along with FlashMQ. If not, see <https://www.gnu.org/licenses/>.
 #include <sstream>
 #include "fstream"
 #include <regex>
+#include "sys/stat.h"
 
 #include "openssl/ssl.h"
 #include "openssl/err.h"
@@ -42,7 +43,7 @@ void ConfigFileParser::testKeyValidity(const std::string &key, const std::set<st
     }
 }
 
-void ConfigFileParser::checkFileExistsAndReadable(const std::string &key, const std::string &pathToCheck) const
+void ConfigFileParser::checkFileExistsAndReadable(const std::string &key, const std::string &pathToCheck, ssize_t max_size) const
 {
     if (access(pathToCheck.c_str(), R_OK) != 0)
     {
@@ -50,6 +51,21 @@ void ConfigFileParser::checkFileExistsAndReadable(const std::string &key, const 
         oss << "Error for '" << key << "': " << pathToCheck << " is not there or not readable";
         throw ConfigFileException(oss.str());
     }
+
+    struct stat statbuf;
+    memset(&statbuf, 0, sizeof(struct stat));
+    if (stat(path.c_str(), &statbuf) < 0)
+        throw ConfigFileException(formatString("Reading stat of '%s' failed.", pathToCheck.c_str()));
+
+    if (!S_ISREG(statbuf.st_mode))
+    {
+        throw ConfigFileException(formatString("Error for '%s': '%s' is not a regular file.", key.c_str(), pathToCheck.c_str()));
+    }
+
+    if (statbuf.st_size > max_size)
+    {
+        throw ConfigFileException(formatString("Error for '%s': '%s' is bigger than %ld bytes.", key.c_str(), pathToCheck.c_str(), max_size));
+    }
 }
 
 void ConfigFileParser::checkFileOrItsDirWritable(const std::string &filepath) const
@@ -105,7 +121,7 @@ void ConfigFileParser::loadFile(bool test)
     if (path.empty())
         return;
 
-    checkFileExistsAndReadable("application config file", path);
+    checkFileExistsAndReadable("application config file", path, 1024*1024*10);
 
     std::ifstream infile(path, std::ios::in);
 
@@ -236,10 +252,12 @@ void ConfigFileParser::loadFile(bool test)
                 }
                 else if (key == "fullchain")
                 {
+                    checkFileExistsAndReadable("SSL fullchain", value, 1024*1024);
                     curListener->sslFullchain = value;
                 }
                 if (key == "privkey")
                 {
+                    checkFileExistsAndReadable("SSL privkey", value, 1024*1024);
                     curListener->sslPrivkey = value;
                 }
                 if (key == "inet_protocol")
@@ -278,7 +296,7 @@ void ConfigFileParser::loadFile(bool test)
 
                 if (key == "auth_plugin")
                 {
-                    checkFileExistsAndReadable(key, value);
+                    checkFileExistsAndReadable(key, value, 1024*1024*100);
                     tmpSettings->authPluginPath = value;
                 }
 
@@ -346,11 +364,13 @@ void ConfigFileParser::loadFile(bool test)
 
                 if (key == "mosquitto_password_file")
                 {
+                    checkFileExistsAndReadable("mosquitto_password_file", value, 1024*1024*1024);
                     tmpSettings->mosquittoPasswordFile = value;
                 }
 
                 if (key == "mosquitto_acl_file")
                 {
+                    checkFileExistsAndReadable("mosquitto_acl_file", value, 1024*1024*1024);
                     tmpSettings->mosquittoAclFile = value;
                 }
 
diff --git a/configfileparser.h b/configfileparser.h
index 7989c9c..325ffda 100644
--- a/configfileparser.h
+++ b/configfileparser.h
@@ -24,6 +24,7 @@ License along with FlashMQ. If not, see <https://www.gnu.org/licenses/>.
 #include <vector>
 #include <memory>
 #include <list>
+#include <limits>
 
 #include "sslctxmanager.h"
 #include "listener.h"
@@ -44,7 +45,7 @@ class ConfigFileParser
     std::set<std::string> validListenKeys;
 
     void testKeyValidity(const std::string &key, const std::set<std::string> &validKeys) const;
-    void checkFileExistsAndReadable(const std::string &key, const std::string &pathToCheck) const;
+    void checkFileExistsAndReadable(const std::string &key, const std::string &pathToCheck, ssize_t max_size = std::numeric_limits<ssize_t>::max()) const;
     void checkFileOrItsDirWritable(const std::string &filepath) const;
 public:
     ConfigFileParser(const std::string &path);
diff --git a/utils.cpp b/utils.cpp
index f970b69..07e6704 100644
--- a/utils.cpp
+++ b/utils.cpp
@@ -15,6 +15,8 @@ You should have received a copy of the GNU Affero General Public
 License along with FlashMQ. If not, see <https://www.gnu.org/licenses/>.
 */
 
+#include "sys/stat.h"
+
 #include "utils.h"
 
 #include "sys/time.h"
@@ -465,6 +467,12 @@ void testSsl(const std::string &fullchain, const std::string &privkey)
     if (privkey.empty())
         throw ConfigFileException("No fullchain specified for private key");
 
+    if (getFileSize(fullchain) == 0)
+        throw ConfigFileException(formatString("SSL 'fullchain' file '%s' is empty or invalid", fullchain.c_str()));
+
+    if (getFileSize(privkey) == 0)
+        throw ConfigFileException(formatString("SSL 'privkey' file '%s' is empty or invalid", privkey.c_str()));
+
     SslCtxManager sslCtx;
     if (SSL_CTX_use_certificate_file(sslCtx.get(), fullchain.c_str(), SSL_FILETYPE_PEM) != 1)
     {
@@ -541,3 +549,13 @@ BindAddr getBindAddr(int family, const std::string &bindAddress,  int port)
 
     return result;
 }
+
+ssize_t getFileSize(const std::string &path)
+{
+    struct stat statbuf;
+    memset(&statbuf, 0, sizeof(struct stat));
+    if (stat(path.c_str(), &statbuf) < 0)
+        return -1;
+
+    return statbuf.st_size;
+}
diff --git a/utils.h b/utils.h
index ad3390e..8fc5a0f 100644
--- a/utils.h
+++ b/utils.h
@@ -86,5 +86,7 @@ std::string dirnameOf(const std::string& fname);
 
 BindAddr getBindAddr(int family, const std::string &bindAddress, int port);
 
+ssize_t getFileSize(const std::string &path);
+
 
 #endif // UTILS_H