diff --git a/configproxy.py b/configproxy.py
index 73f7a0b172b9aac69eaeac2286ceb7fecc0fff23..7d5ce97a16ed8812f2c2b4b2ececec06e928d2ae 100755
--- a/configproxy.py
+++ b/configproxy.py
@@ -158,13 +158,13 @@ def check_security(SECRET_KEY, SECURITY_KEY, SESSION_PROTECTION, SESSION_COOKIE_
             "Insufficient length of SECURITY_KEY, should be at "
             "least {}!".format(
                 MIN_KEY_LENGTH))
-    check_choice("SESSION_PROTECTION", SESSION_PROTECTION, ["strong"])
+    check_choice("SESSION_PROTECTION", SESSION_PROTECTION, ["strong", "none"])
     check_choice("SESSION_COOKIE_SECURE", SESSION_COOKIE_SECURE, [True, False])
     check_choice("SESSION_COOKIE_HTTPONLY", SESSION_COOKIE_HTTPONLY, [True, False])
     check_choice("SESSION_COOKIE_SAMESITE", SESSION_COOKIE_SAMESITE, ["Lax", "Strict"])
 
 
-def check_server_name(SERVER_NAME, PREFERRED_URL_SCHEME, CDN_URL):
+def check_server_name(SERVER_NAME, PREFERRED_URL_SCHEME, CDN_URL, PERMITTED_METADATA_DOMAINS):
     # todo: check ip address and server name
     check_choice(
         "PREFERRED_URL_SCHEME", PREFERRED_URL_SCHEME,
@@ -491,7 +491,12 @@ CONFIG_SECTIONS = [
                 name="CDN_URL",
                 default=None,
                 required=False, internal=False,
-                description="URL to get bootstrap and jQuery from.")
+                description="URL to get bootstrap and jQuery from."),
+            ConfigEntry(
+                name="PERMITTED_METADATA_DOMAINS",
+                default=[],
+                required=False, internal=False,
+                description="Domains allowed to be linked to in protocol metadata (e.g. location)."),
         ],
         check=check_server_name,
         description="Where is the website hosted"),
diff --git a/models/database.py b/models/database.py
index 3a5a2cb1c82b9fb1760b4a780871f74911671cfe..49e256ab3c58e69cbeda22c8527956b17b88d1d7 100644
--- a/models/database.py
+++ b/models/database.py
@@ -4,6 +4,7 @@ from datetime import datetime
 from io import BytesIO
 from enum import Enum
 from uuid import uuid4
+from urllib.parse import urlparse
 
 from shared import (
     db, date_filter_short, escape_tex, DATE_KEY, START_TIME_KEY, END_TIME_KEY,
@@ -901,6 +902,18 @@ class Meta(DatabaseModel):
     def get_parent(self):
         return self.protocol
 
+    def is_url(self):
+        print(self.value)
+        url = urlparse(self.value)
+        if not url.scheme == "https":
+            print(self.value, 1)
+            return False
+        if not url.netloc or url.netloc not in config.PERMITTED_METADATA_DOMAINS:
+            print(self.value, 2)
+            return False
+        print(self.value, 3)
+        return True
+
 
 class Like(DatabaseModel):
     __tablename__ = "likes"
diff --git a/templates/protocol-show.html b/templates/protocol-show.html
index b5546fe387a9786922c32abfee4a616d452431e1..3ee28171047218c9fd897e19e3178aed751f24fe 100644
--- a/templates/protocol-show.html
+++ b/templates/protocol-show.html
@@ -79,7 +79,7 @@
                 {% if has_public_view_right %}
                     {% for meta in protocol.metas %}
                         {% if not meta.internal or has_private_view_right %}
-                            <p><strong>{{meta.name}}:</strong> {{meta.value}}</p>
+                            <p><strong>{{meta.name}}:</strong> {% if meta.is_url() %}<a href="{{meta.value}}">{{meta.value}}</a>{% else %}{{meta.value}}{% endif %}</p>
                         {% endif %}
                     {% endfor %}
                 {% endif %}
@@ -88,7 +88,7 @@
                     <p><strong>Geplant:</strong> {{protocol.date|datify_long}}, {{protocol.get_time()|timify}}</p>
                 {% endif %}
                 {% for meta in protocol.metas %}
-                    <p><strong>{{meta.name}}:</strong> {{meta.value}}</p>
+                    <p><strong>{{meta.name}}:</strong> {% if meta.is_url() %}<a href="{{meta.value}}">{{meta.value}}</a>{% else %}{{meta.value}}{% endif %}</p>
                 {% endfor %}
             {% endif %}