mikkel/nexus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

test(server): add negative test for x-forwarded-host mismatch

Browse source 
Verifies the board mutation guard blocks requests when
X-Forwarded-Host is present but Origin does not match it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Van Horn 2026-03-26 16:39:46 -07:00
parent d0e01d2863
commit eb8c5d93e7
No known key found for this signature in database
1 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
server/src/__tests__/board-mutation-guard.test.ts
View file

@ -95,6 +95,17 @@ describe("boardMutationGuard", () => {
expect(res.status).toBe(204); expect(res.status).toBe(204);
}); });
it("blocks board mutations when x-forwarded-host does not match origin", async () => {
const app = createApp("board");
const res = await request(app)
.post("/mutate")
.set("Host", "127.0.0.1")
.set("X-Forwarded-Host", "10.90.10.20:3443")
.set("Origin", "https://evil.example.com")
.send({ ok: true });
expect(res.status).toBe(403);
});
it("does not block authenticated agent mutations", async () => { it("does not block authenticated agent mutations", async () => {
const middleware = boardMutationGuard(); const middleware = boardMutationGuard();
const req = { const req = {