diff --git a/server/src/services/company-portability.ts b/server/src/services/company-portability.ts
index 256e98d3..b1bb7ed9 100644
--- a/server/src/services/company-portability.ts
+++ b/server/src/services/company-portability.ts
@@ -2567,6 +2567,9 @@ function normalizeGitHubSourcePath(value: string | null | undefined) {
 
 export function parseGitHubSourceUrl(rawUrl: string) {
   const url = new URL(rawUrl);
+  if (url.protocol !== "https:") {
+    throw unprocessable("GitHub source URL must use HTTPS");
+  }
   const hostname = url.hostname;
   const parts = url.pathname.split("/").filter(Boolean);
   if (parts.length < 2) {
diff --git a/server/src/services/company-skills.ts b/server/src/services/company-skills.ts
index 8cefd2fd..a878a779 100644
--- a/server/src/services/company-skills.ts
+++ b/server/src/services/company-skills.ts
@@ -512,6 +512,9 @@ async function resolveGitHubCommitSha(owner: string, repo: string, ref: string,
 
 function parseGitHubSourceUrl(rawUrl: string) {
   const url = new URL(rawUrl);
+  if (url.protocol !== "https:") {
+    throw unprocessable("GitHub source URL must use HTTPS");
+  }
   const parts = url.pathname.split("/").filter(Boolean);
   if (parts.length < 2) {
     throw unprocessable("Invalid GitHub URL");