diff --git a/containers/auth-gateway/auth_gateway/services/policy_engine.py b/containers/auth-gateway/auth_gateway/services/policy_engine.py
index 9024062..4141e05 100644
--- a/containers/auth-gateway/auth_gateway/services/policy_engine.py
+++ b/containers/auth-gateway/auth_gateway/services/policy_engine.py
@@ -52,6 +52,13 @@ def build_effective_policy(runtime_config: RuntimeConfig, policy_name: str) -> E
     if policy.policy_type != "protected":
         return effective
 
+    if not policy.methods:
+        return EffectivePolicy(
+            name=policy_name,
+            mode="error",
+            error_message="Policy configuration error: protected policy has no authentication methods.",
+        )
+
     for method_name in policy.methods:
         method = runtime_config.auth_methods[method_name]
         if isinstance(method, IPAddressMethodModel):
diff --git a/containers/auth-gateway/auth_gateway/web/dependencies.py b/containers/auth-gateway/auth_gateway/web/dependencies.py
index 35ee6e7..78e2dad 100644
--- a/containers/auth-gateway/auth_gateway/web/dependencies.py
+++ b/containers/auth-gateway/auth_gateway/web/dependencies.py
@@ -24,6 +24,8 @@ def get_session(request: Request) -> SessionRecord | None:
 
 def build_external_url(request: Request, path: str, **params: str) -> str:
     proto = request.headers.get("x-forwarded-proto", request.url.scheme)
+    if proto not in ("http", "https"):
+        proto = "https"
     host = request.headers.get("host", request.url.netloc)
     prefix = request.app.state.settings.external_path.rstrip("/")
     query = urlencode({key: value for key, value in params.items() if value is not None})