diff --git a/src/auth.go b/src/auth.go
index 3c59434..a177ead 100644
--- a/src/auth.go
+++ b/src/auth.go
@@ -417,22 +417,40 @@ func AuthorizeRepository(repoURL string, auth *Authorization) error {
 		return nil // any
 	}
 
+	repoURL = strings.ToLower(repoURL)
+
+	if config.Limits.AllowedRepositoryURLPrefixes != nil {
+		allowedPrefix := false
+		for _, allowedRepoURLPrefix := range config.Limits.AllowedRepositoryURLPrefixes {
+			if strings.HasPrefix(repoURL, strings.ToLower(allowedRepoURLPrefix)) {
+				allowedPrefix = true
+				break
+			}
+		}
+		if !allowedPrefix {
+			return AuthError{
+				http.StatusUnauthorized,
+				fmt.Sprintf("clone URL not in prefix allowlist %v",
+					config.Limits.AllowedRepositoryURLPrefixes),
+			}
+		}
+	}
+
 	allowed := false
 	for _, allowedRepoURL := range auth.repoURLs {
-		if strings.EqualFold(repoURL, allowedRepoURL) {
+		if repoURL == strings.ToLower(allowedRepoURL) {
 			allowed = true
 			break
 		}
 	}
-
-	if allowed {
-		return nil
-	} else {
+	if !allowed {
 		return AuthError{
 			http.StatusUnauthorized,
 			fmt.Sprintf("clone URL not in allowlist %v", auth.repoURLs),
 		}
 	}
+
+	return nil
 }
 
 // The purpose of `allowRepoURLs` is to make sure that only authorized content is deployed
@@ -466,6 +484,10 @@ func AuthorizeUpdateFromArchive(r *http.Request) (*Authorization, error) {
 		return auth, nil
 	}
 
+	if config.Limits.AllowedRepositoryURLPrefixes != nil {
+		return nil, AuthError{http.StatusUnauthorized, "updating from archive not allowed"}
+	}
+
 	// DNS challenge gives absolute authority.
 	auth, err := authorizeDNSChallenge(r)
 	if err != nil && IsUnauthorized(err) {
diff --git a/src/config.go b/src/config.go
index d2caf58..11bc6ec 100644
--- a/src/config.go
+++ b/src/config.go
@@ -103,6 +103,8 @@ type LimitsConfig struct {
 	MaxHeapSizeRatio float64 `toml:"max-heap-size-ratio" default:"0.5"`
 	// List of domains unconditionally forbidden for uploads.
 	ForbiddenDomains []string `toml:"forbidden-domains"`
+	// List of allowed repository URL prefixes. Setting this option prohibits uploading archives.
+	AllowedRepositoryURLPrefixes []string `toml:"allowed-repository-url-prefixes"`
 }
 
 func (config *Config) DebugJSON() string {