diff --git a/test/test-abs-path-leak.js b/test/test-abs-path-leak.js
index 2c837677f..46a85e82c 100644
--- a/test/test-abs-path-leak.js
+++ b/test/test-abs-path-leak.js
@@ -67,6 +67,16 @@ test('Windows forward-slash drive path is detected', () => {
   assert(leakCount('See C:/Users/alex/notes.md for details.') === 1, 'C:/Users... not detected');
 });
 
+test('lowercase Windows drive path is detected', () => {
+  assert(leakCount('see c:\\Users\\alex\\notes.md') === 1, 'c:\\Users... not detected');
+  assert(leakCount('see c:/users/alex/notes.md') === 1, 'c:/users... not detected');
+});
+
+test('URLs are not flagged as drive-letter leaks', () => {
+  // https:// also contains "<letter>:/"; the \b in the pattern must exclude it.
+  assert(leakCount('docs at https://github.com/org/repo and http://example.com') === 0, 'URL falsely flagged');
+});
+
 test('Unix /Users path is detected', () => {
   assert(leakCount('open /Users/alex/secret.md') === 1, '/Users path not detected');
 });
diff --git a/tools/validate-file-refs.js b/tools/validate-file-refs.js
index ad6365ad9..4358bfe3f 100644
--- a/tools/validate-file-refs.js
+++ b/tools/validate-file-refs.js
@@ -67,9 +67,10 @@ const STEP_META = /(?:thisStepFile|nextStepFile|continueStepFile|skipToStepFile|
 const LOAD_DIRECTIVE = /Load[:\s]+`(\.[^`]+)`/g;
 
 // Pattern: absolute path leaks
-// Windows drive paths use a single separator (C:\Users or C:/Users). In a regex
-// literal `\\` already matches one backslash, so the class matches either separator.
-const ABS_PATH_LEAK = /(?:\/Users\/|\/home\/|[A-Z]:[\\/])/;
+// Windows drive paths use a single separator (C:\Users or C:/Users) and the drive
+// letter can be either case. The leading \b keeps URL schemes like https:// — which
+// also contain "<letter>:/" — from matching. In a regex literal `\\` is one backslash.
+const ABS_PATH_LEAK = /(?:\/Users\/|\/home\/|\b[A-Za-z]:[\\/])/;
 
 // --- Output Escaping ---