diff --git a/apps/commandboard-web/package.json b/apps/commandboard-web/package.json
index b1b177d..eaf10c4 100644
--- a/apps/commandboard-web/package.json
+++ b/apps/commandboard-web/package.json
@@ -7,6 +7,7 @@
     "build": "node scripts/check-assets.js && vite build",
     "dev": "vite --host 0.0.0.0",
     "start": "node server.js",
+    "test": "vitest run server.test.js",
     "test:e2e": "playwright test"
   },
   "dependencies": {
diff --git a/apps/commandboard-web/server.js b/apps/commandboard-web/server.js
index 6a61e34..79d559d 100644
--- a/apps/commandboard-web/server.js
+++ b/apps/commandboard-web/server.js
@@ -7,7 +7,6 @@ import { createCommandBoardServer } from "../commandboard-api/dist/index.js";
 const appDirectory = fileURLToPath(new URL(".", import.meta.url));
 const distDirectory = resolve(appDirectory, "dist");
 const indexFile = join(distDirectory, "index.html");
-const apiServer = createCommandBoardServer();
 const port = Number(process.env.PORT ?? 4173);
 
 const mimeTypes = {
@@ -21,33 +20,52 @@ const mimeTypes = {
   ".webmanifest": "application/manifest+json; charset=utf-8"
 };
 
-createServer((request, response) => {
-  const url = new URL(request.url ?? "/", `http://${request.headers.host ?? "localhost"}`);
-
-  if (url.pathname === "/health" || url.pathname.startsWith("/api/")) {
-    apiServer.emit("request", request, response);
-    return;
-  }
-
-  if (request.method !== "GET" && request.method !== "HEAD") {
-    response.writeHead(405, { allow: "GET, HEAD" });
-    response.end("Method not allowed");
-    return;
-  }
-
-  const file = resolveStaticPath(url.pathname);
-  if (!file) {
-    response.writeHead(403);
-    response.end("Forbidden");
-    return;
-  }
+export function createCommandBoardWebServer() {
+  const apiServer = createCommandBoardServer();
+
+  return createServer((request, response) => {
+    const url = new URL(request.url ?? "/", `http://${request.headers.host ?? "localhost"}`);
+
+    if (url.pathname === "/health" || url.pathname.startsWith("/api/")) {
+      apiServer.emit("request", request, response);
+      return;
+    }
+
+    if (request.method !== "GET" && request.method !== "HEAD") {
+      response.writeHead(405, { allow: "GET, HEAD" });
+      response.end("Method not allowed");
+      return;
+    }
+
+    let file;
+    try {
+      file = resolveStaticPath(url.pathname);
+    } catch (error) {
+      if (error instanceof URIError) {
+        response.writeHead(400, { "content-type": "text/plain; charset=utf-8" });
+        response.end("Invalid path encoding");
+        return;
+      }
+      throw error;
+    }
+
+    if (!file) {
+      response.writeHead(403);
+      response.end("Forbidden");
+      return;
+    }
+
+    sendFile(file, request.method === "HEAD", response);
+  });
+}
 
-  sendFile(file, request.method === "HEAD", response);
-}).listen(port, () => {
-  console.log(`CommandBoard.run PWA listening on http://localhost:${port}`);
-});
+if (process.argv[1] && resolve(process.argv[1]) === fileURLToPath(import.meta.url)) {
+  createCommandBoardWebServer().listen(port, () => {
+    console.log(`CommandBoard.run PWA listening on http://localhost:${port}`);
+  });
+}
 
-function resolveStaticPath(pathname) {
+export function resolveStaticPath(pathname) {
   const decodedPath = decodeURIComponent(pathname);
   const normalizedPath = normalize(decodedPath).replace(/^(\.\.[/\\])+/, "");
   let candidate = join(distDirectory, normalizedPath);
diff --git a/apps/commandboard-web/server.test.js b/apps/commandboard-web/server.test.js
new file mode 100644
index 0000000..d20efad
--- /dev/null
+++ b/apps/commandboard-web/server.test.js
@@ -0,0 +1,31 @@
+import { afterAll, beforeAll, describe, expect, it } from "vitest";
+import { createCommandBoardWebServer } from "./server.js";
+
+let server;
+let baseUrl;
+
+beforeAll(async () => {
+  server = createCommandBoardWebServer();
+  await new Promise((resolve) => server.listen(0, resolve));
+  const address = server.address();
+  if (!address || typeof address === "string") {
+    throw new Error("Expected web server to bind to a local port");
+  }
+  baseUrl = `http://127.0.0.1:${address.port}`;
+});
+
+afterAll(async () => {
+  await new Promise((resolve, reject) => {
+    server.close((error) => (error ? reject(error) : resolve()));
+  });
+});
+
+describe("CommandBoard web server", () => {
+  it("rejects malformed path encoding as a client error", async () => {
+    const response = await fetch(`${baseUrl}/%E0%A4%A`);
+    const body = await response.text();
+
+    expect(response.status).toBe(400);
+    expect(body).toBe("Invalid path encoding");
+  });
+});