diff --git a/keyfetch/issuer_test.go b/keyfetch/issuer_test.go
index dedf771..5ef181f 100644
--- a/keyfetch/issuer_test.go
+++ b/keyfetch/issuer_test.go
@@ -2,6 +2,8 @@ package keyfetch
 
 import (
 	"errors"
+	"net/http"
+	"net/url"
 	"testing"
 )
 
@@ -132,3 +134,57 @@ func TestIssuerMatches(t *testing.T) {
 		t.Fatal("A bad URL slipped past", iss)
 	}
 }
+
+func TestImplicitIssuer(t *testing.T) {
+	var r *http.Request
+	var iss string
+
+	r = &http.Request{
+		Host: "example.com",
+		URL:  &url.URL{Path: "/foo/bar/baz"},
+		Header: http.Header(map[string][]string{
+			"x-forwarded-host": []string{"example.com"},
+		}),
+	}
+	iss = "https://example.com/foo"
+	if !IsTrustedIssuer(iss, nil, r) {
+		t.Fatal("A good URL didn't make it:", iss)
+	}
+
+	r = &http.Request{
+		Host: "example.com",
+		URL:  &url.URL{Path: "/"},
+		Header: http.Header(map[string][]string{
+			"x-forwarded-host":  []string{"example.com"},
+			"x-forwarded-proto": []string{"http"},
+		}),
+	}
+	iss = "http://example.com/foo"
+	if IsTrustedIssuer(iss, nil, r) {
+		t.Fatal("A bad URL slipped past:", iss)
+	}
+
+	r = &http.Request{
+		Host: "example.com",
+		URL:  &url.URL{Path: "/foo"},
+		Header: http.Header(map[string][]string{
+			"x-forwarded-host": []string{"example.com"},
+		}),
+	}
+	iss = "https://example.com/foo/bar/baz"
+	if IsTrustedIssuer(iss, nil, r) {
+		t.Fatal("A bad URL slipped past:", iss)
+	}
+
+	r = &http.Request{
+		Host: "example.com",
+		URL:  &url.URL{Path: "/"},
+		Header: http.Header(map[string][]string{
+			"x-forwarded-proto": []string{"https"},
+		}),
+	}
+	iss = "https://example.com/"
+	if !IsTrustedIssuer(iss, nil, r) {
+		t.Fatal("A good URL didn't make it:", iss)
+	}
+}