diff --git a/public/language/en-GB/error.json b/public/language/en-GB/error.json
index 80664c3265..cc51fa2611 100644
--- a/public/language/en-GB/error.json
+++ b/public/language/en-GB/error.json
@@ -281,5 +281,6 @@
 
 	"activitypub.invalid-id": "Unable to resolve the input id, likely as it is malformed.",
 	"activitypub.get-failed": "Unable to retrieve the specified resource.",
-	"activitypub.pubKey-not-found": "Unable to resolve public key, so payload verification cannot take place."
+	"activitypub.pubKey-not-found": "Unable to resolve public key, so payload verification cannot take place.",
+	"activitypub.origin-mismatch": "The received object's origin does not match the sender's origin"
 }
diff --git a/src/activitypub/inbox.js b/src/activitypub/inbox.js
index 26be56e76a..08d9c96081 100644
--- a/src/activitypub/inbox.js
+++ b/src/activitypub/inbox.js
@@ -24,7 +24,14 @@ inbox.create = async (req) => {
 };
 
 inbox.update = async (req) => {
-	const { object } = req.body;
+	const { actor, object } = req.body;
+
+	// Origin checking
+	const actorHostname = new URL(actor).hostname;
+	const objectHostname = new URL(object.id).hostname;
+	if (actorHostname !== objectHostname) {
+		throw new Error('[[error:activitypub.origin-mismatch]]');
+	}
 
 	switch (object.type) {
 		case 'Note': {