diff --git a/doc/manual/rl-next/download-protocols.md b/doc/manual/rl-next/download-protocols.md
new file mode 100644
index 000000000..bf1bf79a3
--- /dev/null
+++ b/doc/manual/rl-next/download-protocols.md
@@ -0,0 +1,10 @@
+---
+synopsis: "transfers no longer allow arbitrary url schemas"
+category: Breaking Changes
+cls: [2106]
+credits: horrors
+---
+
+Lix no longer allows transfers using arbitrary url schemas. Only `http://`, `https://`, `ftp://`, `ftps://`, and `file://` urls are supported going forward. This affects `builtins.fetchurl`, `<nix/fetchurl.nix>`, transfers to and from binary caches, and all other uses of the internal file transfer code. Flake inputs using multi-protocol schemas (e.g. `git+ssh`) are not affected as those use external utilities to transfer data.
+
+The `s3://` scheme is not affected at all by this change and continues to work if S3 support is built into Lix.
diff --git a/src/libstore/filetransfer.cc b/src/libstore/filetransfer.cc
index 34b92148e..acbb042b7 100644
--- a/src/libstore/filetransfer.cc
+++ b/src/libstore/filetransfer.cc
@@ -282,6 +282,8 @@ struct curlFileTransfer : public FileTransfer
             curl_easy_setopt(req, CURLOPT_PROGRESSDATA, this);
             curl_easy_setopt(req, CURLOPT_NOPROGRESS, 0);
 
+            curl_easy_setopt(req, CURLOPT_PROTOCOLS_STR, "http,https,ftp,ftps,file");
+
             curl_easy_setopt(req, CURLOPT_HTTPHEADER, requestHeaders);
 
             if (settings.downloadSpeed.get() > 0)