diff --git a/lib/smile-identity-core/web_api.rb b/lib/smile-identity-core/web_api.rb
index 43325a0..786d94c 100644
--- a/lib/smile-identity-core/web_api.rb
+++ b/lib/smile-identity-core/web_api.rb
@@ -312,6 +312,7 @@ def zip_up_file(info_json)
     end
 
     def upload_file(url, info_json, smile_job_id)
+      validate_upload_url!(url)
       file = zip_up_file(info_json)
       file.rewind
 
@@ -336,6 +337,20 @@ def upload_file(url, info_json, smile_job_id)
       request.run
     end
 
+    # Validate upload_url against expected host/prefix
+    def validate_upload_url!(upload_url)
+      allowed_host = URI.parse(@url).host
+      begin
+        uri = URI.parse(upload_url)
+      rescue URI::InvalidURIError
+        raise ArgumentError, "Invalid upload_url"
+      end
+      # Only allow URLs that match the known host
+      unless uri.host == allowed_host
+        raise ArgumentError, "Untrusted upload_url: #{upload_url}"
+      end
+    end
+
     def query_job_status(counter = 0)
       counter < 4 ? (sleep 2) : (sleep 6)
       counter += 1