diff --git a/src/apps.js b/src/apps.js
index ca1858333..d3a0e823a 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -462,7 +462,15 @@ function validateUpstreamUri(upstreamUri) {
     assert.strictEqual(typeof upstreamUri, 'string');
 
     if (!upstreamUri) return null;
-    if (upstreamUri.length > 256) return new BoxError(BoxError.BAD_FIELD, 'upstreamUri must be less than 256');
+
+    const uri = safe(() => new URL(upstreamUri));
+    if (!uri) return new BoxError(BoxError.BAD_FIELD, `upstreamUri is invalid: ${safe.error.message}`);
+    if (uri.protocol !== 'http:' && uri.protocol !== 'https:') return new BoxError(BoxError.BAD_FIELD, 'upstreamUri has an unsupported scheme');
+    if (uri.search || uri.hash) return new BoxError(BoxError.BAD_FIELD, 'upstreamUri cannot have search or hash');
+    if (uri.pathname !== '/') return new BoxError(BoxError.BAD_FIELD, 'upstreamUri cannot have a path');
+
+    // we use the uri in a named location @wellknown-upstream. nginx does not support having paths in it
+    if (upstreamUri.endsWith('/')) return new BoxError(BoxError.BAD_FIELD, 'upstreamUri cannot have a path');
 
     return null;
 }