diff --git a/server/src/__tests__/board-mutation-guard.test.ts b/server/src/__tests__/board-mutation-guard.test.ts
index 03c1a8df..9a4789b2 100644
--- a/server/src/__tests__/board-mutation-guard.test.ts
+++ b/server/src/__tests__/board-mutation-guard.test.ts
@@ -95,6 +95,17 @@ describe("boardMutationGuard", () => {
     expect(res.status).toBe(204);
   });
 
+  it("blocks board mutations when x-forwarded-host does not match origin", async () => {
+    const app = createApp("board");
+    const res = await request(app)
+      .post("/mutate")
+      .set("Host", "127.0.0.1")
+      .set("X-Forwarded-Host", "10.90.10.20:3443")
+      .set("Origin", "https://evil.example.com")
+      .send({ ok: true });
+    expect(res.status).toBe(403);
+  });
+
   it("does not block authenticated agent mutations", async () => {
     const middleware = boardMutationGuard();
     const req = {