diff --git a/packages/backend/src/core/HttpRequestService.ts b/packages/backend/src/core/HttpRequestService.ts
index 7f3cac7c58..bea5dee6ab 100644
--- a/packages/backend/src/core/HttpRequestService.ts
+++ b/packages/backend/src/core/HttpRequestService.ts
@@ -15,6 +15,7 @@ import type { Config } from '@/config.js';
 import { StatusError } from '@/misc/status-error.js';
 import { bindThis } from '@/decorators.js';
 import { validateContentTypeSetAsActivityPub } from '@/core/activitypub/misc/validator.js';
+import { assertActivityMatchesUrls } from '@/core/activitypub/misc/check-against-url.js';
 import type { IObject } from '@/core/activitypub/type.js';
 import type { Response } from 'node-fetch';
 import type { URL } from 'node:url';
@@ -125,7 +126,12 @@ export class HttpRequestService {
 			validators: [validateContentTypeSetAsActivityPub],
 		});
 
-		return await res.json() as IObject;
+		const finalUrl = res.url; // redirects may have been involved
+		const activity = await res.json() as IObject;
+
+		assertActivityMatchesUrls(activity, [url, finalUrl]);
+
+		return activity;
 	}
 
 	@bindThis
diff --git a/packages/backend/src/core/activitypub/misc/check-against-url.ts b/packages/backend/src/core/activitypub/misc/check-against-url.ts
new file mode 100644
index 0000000000..ec3dcf3aae
--- /dev/null
+++ b/packages/backend/src/core/activitypub/misc/check-against-url.ts
@@ -0,0 +1,46 @@
+/*
+ * SPDX-FileCopyrightText: dakkar and sharkey-project and yumechi
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { metricCounter } from '@/server/api/MetricsService.js';
+import type { IObject } from '../type.js';
+
+const mFetchBadActivityUrl = metricCounter({
+	name: 'misskey_ap_fetch_bad_activity_url',
+	help: 'Fetches that failed because the activity URL did not match the expected Host',
+	labelNames: ['host_received', 'host_expected'],
+});
+
+function getHrefFrom(one: IObject|string): string | undefined {
+	if (typeof(one) === 'string') return one;
+	return one.href;
+}
+
+export function assertActivityMatchesUrls(activity: IObject, urls: string[]) {
+	const idOk = activity.id !== undefined && urls.includes(activity.id);
+	if (idOk) return;
+
+	const url = activity.url;
+	if (url) {
+		// `activity.url` can be an `ApObject = IObject | string | (IObject
+		// | string)[]`, we have to look inside it
+		const activityUrls = Array.isArray(url) ? url.map(getHrefFrom) : [getHrefFrom(url)];
+		const goodUrl = activityUrls.find(u => u && urls.includes(u));
+
+		if (goodUrl) return;
+	}
+
+	const hosts = urls.map(u => {
+		try {
+			return new URL(u).host;
+		} catch (e) {
+			return '[invalid]';
+		}
+	});
+
+	const sortDedup = (arr: string[]) => Array.from(new Set(arr)).sort();
+
+	mFetchBadActivityUrl?.inc({ host_received: sortDedup(hosts).join('|'), host_expected: sortDedup(urls).join('|') });
+
+	throw new Error(`bad Activity: neither id(${activity?.id}) nor url(${JSON.stringify(activity?.url)}) match location(${urls})`);
+}