diff --git a/pkg/web/server_test.go b/pkg/web/server_test.go
new file mode 100644
index 0000000..f8481ae
--- /dev/null
+++ b/pkg/web/server_test.go
@@ -0,0 +1,107 @@
+package web
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestOverview_Returns200WithKeyHunter(t *testing.T) {
+	srv, err := NewServer(Config{})
+	require.NoError(t, err)
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	rec := httptest.NewRecorder()
+	srv.Router().ServeHTTP(rec, req)
+
+	assert.Equal(t, http.StatusOK, rec.Code)
+	assert.Contains(t, rec.Body.String(), "KeyHunter")
+}
+
+func TestStaticAsset_HtmxJS(t *testing.T) {
+	srv, err := NewServer(Config{})
+	require.NoError(t, err)
+
+	req := httptest.NewRequest(http.MethodGet, "/static/htmx.min.js", nil)
+	rec := httptest.NewRecorder()
+	srv.Router().ServeHTTP(rec, req)
+
+	assert.Equal(t, http.StatusOK, rec.Code)
+	assert.Contains(t, rec.Body.String(), "htmx")
+}
+
+func TestAuth_Returns401_WhenConfiguredButNoCreds(t *testing.T) {
+	srv, err := NewServer(Config{
+		AuthUser: "admin",
+		AuthPass: "secret",
+	})
+	require.NoError(t, err)
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	rec := httptest.NewRecorder()
+	srv.Router().ServeHTTP(rec, req)
+
+	assert.Equal(t, http.StatusUnauthorized, rec.Code)
+	assert.Contains(t, rec.Header().Get("WWW-Authenticate"), "Basic")
+}
+
+func TestAuth_BasicAuth_Returns200(t *testing.T) {
+	srv, err := NewServer(Config{
+		AuthUser: "admin",
+		AuthPass: "secret",
+	})
+	require.NoError(t, err)
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.SetBasicAuth("admin", "secret")
+	rec := httptest.NewRecorder()
+	srv.Router().ServeHTTP(rec, req)
+
+	assert.Equal(t, http.StatusOK, rec.Code)
+	assert.Contains(t, rec.Body.String(), "KeyHunter")
+}
+
+func TestAuth_BearerToken_Returns200(t *testing.T) {
+	srv, err := NewServer(Config{
+		AuthToken: "my-secret-token",
+	})
+	require.NoError(t, err)
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.Header.Set("Authorization", "Bearer my-secret-token")
+	rec := httptest.NewRecorder()
+	srv.Router().ServeHTTP(rec, req)
+
+	assert.Equal(t, http.StatusOK, rec.Code)
+	assert.Contains(t, rec.Body.String(), "KeyHunter")
+}
+
+func TestAuth_NoAuthConfigured_PassesThrough(t *testing.T) {
+	srv, err := NewServer(Config{})
+	require.NoError(t, err)
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	rec := httptest.NewRecorder()
+	srv.Router().ServeHTTP(rec, req)
+
+	assert.Equal(t, http.StatusOK, rec.Code)
+}
+
+func TestOverview_ShowsStats(t *testing.T) {
+	srv, err := NewServer(Config{})
+	require.NoError(t, err)
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	rec := httptest.NewRecorder()
+	srv.Router().ServeHTTP(rec, req)
+
+	body := rec.Body.String()
+	// Should display stat values (zeroes when no DB)
+	assert.True(t, strings.Contains(body, "Total Keys Found"), "should show Total Keys stat card")
+	assert.True(t, strings.Contains(body, "Providers Loaded"), "should show Providers stat card")
+	assert.True(t, strings.Contains(body, "Recon Sources"), "should show Recon Sources stat card")
+}