diff --git a/app/jobs/send_test_webhook_request_job.rb b/app/jobs/send_test_webhook_request_job.rb
index 682a3aac..158363ec 100644
--- a/app/jobs/send_test_webhook_request_job.rb
+++ b/app/jobs/send_test_webhook_request_job.rb
@@ -7,6 +7,9 @@ class SendTestWebhookRequestJob
 
   USER_AGENT = 'DocuSeal.com Webhook'
 
+  HttpsError = Class.new(StandardError)
+  LocalhostError = Class.new(StandardError)
+
   def perform(params = {})
     submitter = Submitter.find_by(id: params['submitter_id'])
 
@@ -16,6 +19,17 @@ class SendTestWebhookRequestJob
 
     return unless webhook_url
 
+    if Docuseal.multitenant?
+      uri = begin
+        URI(webhook_url.url)
+      rescue URI::Error
+        Addressable::URI.parse(webhook_url.url).normalize
+      end
+
+      raise HttpsError, 'Only HTTPS is allowed.' if uri.scheme != 'https'
+      raise LocalhostError, "Can't send to localhost." if uri.host.in?(SendWebhookRequest::LOCALHOSTS)
+    end
+
     Faraday.post(webhook_url.url,
                  {
                    event_type: 'form.completed',