diff --git a/config/policy.go b/config/policy.go
index 2c7dc6f95..6f0794525 100644
--- a/config/policy.go
+++ b/config/policy.go
@@ -1,6 +1,7 @@
 package config
 
 import (
+	"context"
 	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
@@ -17,6 +18,7 @@ import (
 
 	"github.com/pomerium/pomerium/internal/hashutil"
 	"github.com/pomerium/pomerium/internal/identity"
+	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 	configpb "github.com/pomerium/pomerium/pkg/grpc/config"
@@ -400,6 +402,10 @@ func (p *Policy) Validate() error {
 		return fmt.Errorf("config: policy source url (%s) contains a path, but it should be set using the path field instead",
 			source.String())
 	}
+	if source.Scheme == "http" {
+		log.Warn(context.Background()).Msgf("config: policy source url (%s) uses HTTP but only HTTPS is supported",
+			source.String())
+	}
 
 	p.Source = &StringURL{source}