diff --git a/src/domains.js b/src/domains.js
index 0ac9ec66a..f0c91350c 100644
--- a/src/domains.js
+++ b/src/domains.js
@@ -116,6 +116,15 @@ function validateTlsConfig(tlsConfig, dnsProvider) {
 function validateWellKnown(wellKnown) {
     assert.strictEqual(typeof wellKnown, 'object');
 
+    if (wellKnown === null) return null;
+
+    for (const key of Object.keys(wellKnown)) {
+        if (typeof wellKnown[key] !== 'string') return new BoxError(BoxError.BAD_FIELD, `well-known value for ${key} must be a string`);
+    }
+
+    if (wellKnown.carddav && wellKnown.carddav.includes('://')) return new BoxError(BoxError.BAD_FIELD, 'carddav must be a domain, not a URL');
+    if (wellKnown.caldav && wellKnown.caldav.includes('://')) return new BoxError(BoxError.BAD_FIELD, 'caldav must be a domain, not a URL');
+
     return null;
 }
 
diff --git a/src/wellknown.js b/src/wellknown.js
index f9247a153..706874731 100644
--- a/src/wellknown.js
+++ b/src/wellknown.js
@@ -47,13 +47,13 @@ async function get(domain, location) {
         if (!domainObject) throw new BoxError(BoxError.NOT_FOUND, 'Domain not found');
         if (!domainObject.wellKnown || !domainObject.wellKnown.carddav) throw new BoxError(BoxError.NOT_FOUND, 'No custom well-known config');
 
-        return { redirectTo: domainObject.wellKnown.carddav };
+        return { redirectTo: `https://${domainObject.wellKnown.carddav}` };
     } else if (location === 'caldav') {
         const domainObject = await domains.get(domain);
         if (!domainObject) throw new BoxError(BoxError.NOT_FOUND, 'Domain not found');
         if (!domainObject.wellKnown || !domainObject.wellKnown.caldav) throw new BoxError(BoxError.NOT_FOUND, 'No custom well-known config');
 
-        return { redirectTo: domainObject.wellKnown.caldav };
+        return { redirectTo: `https://${domainObject.wellKnown.caldav}` };
     } else {
         throw new BoxError(BoxError.NOT_FOUND, 'No custom well-known config');
     }