diff --git a/tests/test_models.py b/tests/test_models.py
index 5ebb1f0f9..4de823b8d 100644
--- a/tests/test_models.py
+++ b/tests/test_models.py
@@ -584,3 +584,13 @@ def test_application_clean(oauth2_settings, application):
     with pytest.raises(ValidationError) as exc:
         application.clean()
     assert "You cannot use HS256" in str(exc.value)
+
+    application.authorization_grant_type = Application.GRANT_AUTHORIZATION_CODE
+
+    # allowed_origins can be only https://
+    application.allowed_origins = "http://example.com"
+    with pytest.raises(ValidationError) as exc:
+        application.clean()
+    assert "Enter a valid URL" in str(exc.value)
+    application.allowed_origins = "https://example.com"
+    application.clean()
diff --git a/tests/test_token_endpoint_cors.py b/tests/test_token_endpoint_cors.py
index d0eecb463..af5696c58 100644
--- a/tests/test_token_endpoint_cors.py
+++ b/tests/test_token_endpoint_cors.py
@@ -122,7 +122,7 @@ def test_origin_not_from_allowed_origins(self):
         }
 
         auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
-        auth_headers["HTTP_ORIGIN"] = "another_example.org"
+        auth_headers["HTTP_ORIGIN"] = "https://another_example.org"
         response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
         self.assertEqual(response.status_code, 200)
         self.assertFalse(response.has_header("Access-Control-Allow-Origin"))