diff --git a/.coveragerc b/.coveragerc
index 797cc5e..6ea45ea 100644
--- a/.coveragerc
+++ b/.coveragerc
@@ -4,4 +4,5 @@ omit =
     venv2/*
     authome/migrations/*
     authome/wsgi.py
+    authome/settings.py
     manage.py
diff --git a/authome/test.py b/authome/test.py
index 2d464a9..b5a2071 100644
--- a/authome/test.py
+++ b/authome/test.py
@@ -9,6 +9,7 @@
 
 class AuthTestCase(TestCase):
     client = Client()
+    home_url = reverse('home')
     auth_url = reverse('auth')
     auth_ip_url = reverse('auth_ip')
     auth_dual_url = reverse('auth_dual')
@@ -22,6 +23,16 @@ def setUp(self):
     def basic_auth(self, username, password):
         return 'Basic {}'.format(base64.b64encode('{}:{}'.format(username, password).encode('utf-8')).decode('utf-8'))
 
+#    @mock.patch('adal.AuthenticationContext.acquire_token_with_username_password')
+#    def test_home_redirects(self, mock_api_call):
+#        mock_api_call.return_value = {
+#            'userId': self.email
+#        }
+
+#        response = self.client.get(self.home_url)
+#        self.assertRedirects
+
+
     @mock.patch('adal.AuthenticationContext.acquire_token_with_username_password')
     def test_auth_adal_with_username(self, mock_api_call):
         mock_api_call.return_value = {
@@ -57,9 +68,32 @@ def test_auth_adal_with_invalid_username(self, mock_api_call):
         )
         self.assertEqual(response.status_code, 401)
 
-    def test_auth_adal_without_creds(self):
+    def test_auth_adal_with_bad_creds(self):
+        # no credentials
         response = self.client.get(self.auth_url)
         self.assertEqual(response.status_code, 401)
+        # malformed Authorization Header
+        response = self.client.get(self.auth_url,
+            HTTP_AUTHORIZATION='Basic'
+        )
+        self.assertEqual(response.status_code, 401)
+        response = self.client.get(self.auth_url,
+            HTTP_AUTHORIZATION='Not a legit header'
+        )
+        self.assertEqual(response.status_code, 401)
+        response = self.client.get(self.auth_url,
+            HTTP_AUTHORIZATION='Basic 😭😭😭😕😕😕'
+        )
+        self.assertEqual(response.status_code, 401)
+        response = self.client.get(self.auth_url,
+            HTTP_AUTHORIZATION='Basic ==abcdef/+=='
+        )
+        self.assertEqual(response.status_code, 401)
+        # legit header, but invalid payload
+        response = self.client.get(self.auth_url,
+            HTTP_AUTHORIZATION='Basic '+base64.b64encode(b'notlegit').decode('utf-8')
+        )
+        self.assertEqual(response.status_code, 401)
 
     @mock.patch('adal.AuthenticationContext.acquire_token_with_username_password')
     def test_auth_ip_with_username(self, mock_api_call):
@@ -116,5 +150,6 @@ def test_auth_dual(self, mock_api_call):
         self.assertIn('email', response.json())
         self.assertEqual(response.json()['email'], self.email)
 
-
-
+    def test_auth_dual_without_creds(self):
+        response = self.client.get(self.auth_dual_url)
+        self.assertEqual(response.status_code, 200)