1 files changed, 14 insertions, 1 deletions

diff --git a/main.go b/main.go
index d80ba6a..41f8334 100644
--- a/main.go
+++ b/main.go
@@ -10,6 +10,7 @@ import (
 const (
 	errSrcInvalid     = "source is not a parsable URL"
 	errTgtNotAccepted = "can not process webmentions for this target"
+	errInvalidScheme  = "URL scheme is not HTTP(S)"
 )
 
 // endpoint is a webmention receiver.
@@ -19,15 +20,27 @@ type endpoint struct {
 
 // ServeHTTP is http.Handler implementation.
 func (ep endpoint) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	_, err := url.Parse(r.PostFormValue("source"))
+	source, err := url.Parse(r.PostFormValue("source"))
 	if err != nil {
 		w.WriteHeader(http.StatusBadRequest)
 		w.Write([]byte(errSrcInvalid))
+		return
+	}
+	if source.Scheme != "http" && source.Scheme != "https" {
+		w.WriteHeader(http.StatusBadRequest)
+		w.Write([]byte(errInvalidScheme))
+		return
 	}
 	target, err := url.Parse(r.PostFormValue("target"))
 	if err != nil || !ep.targetAllowed(target) {
 		w.WriteHeader(http.StatusBadRequest)
 		w.Write([]byte(errTgtNotAccepted))
+		return
+	}
+	if target.Scheme != "http" && target.Scheme != "https" {
+		w.WriteHeader(http.StatusBadRequest)
+		w.Write([]byte(errInvalidScheme))
+		return
 	}
 }