diff --git a/src/precheck.ts b/src/precheck.ts
new file mode 100644
index 00000000..40ab2fdb
--- /dev/null
+++ b/src/precheck.ts
@@ -0,0 +1,22 @@
+import { Conf } from '@/config.ts';
+
+/** Ensure the media URL is not on the same host as the local domain. */
+function checkMediaHost() {
+  const { url, mediaDomain } = Conf;
+  const mediaUrl = new URL(mediaDomain);
+
+  if (url.host === mediaUrl.host) {
+    throw new PrecheckError('For security reasons, MEDIA_DOMAIN cannot be on the same host as LOCAL_DOMAIN.');
+  }
+}
+
+/** Error class for precheck errors. */
+class PrecheckError extends Error {
+  constructor(message: string) {
+    super(`${message}\nTo disable this check, set DITTO_PRECHECK="false"`);
+  }
+}
+
+if (Deno.env.get('DITTO_PRECHECK') !== 'false') {
+  checkMediaHost();
+}
diff --git a/src/server.ts b/src/server.ts
index 76cbc9f8..e3cf7caa 100644
--- a/src/server.ts
+++ b/src/server.ts
@@ -1,3 +1,4 @@
+import './precheck.ts';
 import app from './app.ts';
 
 Deno.serve(app.fetch);