diff --git a/auth/indieauth/helpers.go b/auth/indieauth/helpers.go
index f777c8754..159c30a33 100644
--- a/auth/indieauth/helpers.go
+++ b/auth/indieauth/helpers.go
@@ -74,6 +74,10 @@ func getAuthEndpointFromURL(urlstring string) (*url.URL, error) {
 		return nil, errors.Wrap(err, "unable to parse URL")
 	}
 
+	if htmlDocScrapeURL.Scheme != "https" {
+		return nil, fmt.Errorf("url must be https")
+	}
+
 	r, err := http.Get(htmlDocScrapeURL.String()) // nolint:gosec
 	if err != nil {
 		return nil, err