From eb8c5d93e7ada8327bbb0fc77a0bf66aa1d5fe86 Mon Sep 17 00:00:00 2001
From: Matt Van Horn <455140+mvanhorn@users.noreply.github.com>
Date: Thu, 26 Mar 2026 16:39:46 -0700
Subject: [PATCH] test(server): add negative test for x-forwarded-host mismatch

Verifies the board mutation guard blocks requests when
X-Forwarded-Host is present but Origin does not match it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 server/src/__tests__/board-mutation-guard.test.ts | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/server/src/__tests__/board-mutation-guard.test.ts b/server/src/__tests__/board-mutation-guard.test.ts
index 03c1a8df..9a4789b2 100644
--- a/server/src/__tests__/board-mutation-guard.test.ts
+++ b/server/src/__tests__/board-mutation-guard.test.ts
@@ -95,6 +95,17 @@ describe("boardMutationGuard", () => {
     expect(res.status).toBe(204);
   });
 
+  it("blocks board mutations when x-forwarded-host does not match origin", async () => {
+    const app = createApp("board");
+    const res = await request(app)
+      .post("/mutate")
+      .set("Host", "127.0.0.1")
+      .set("X-Forwarded-Host", "10.90.10.20:3443")
+      .set("Origin", "https://evil.example.com")
+      .send({ ok: true });
+    expect(res.status).toBe(403);
+  });
+
   it("does not block authenticated agent mutations", async () => {
     const middleware = boardMutationGuard();
     const req = {