diff --git a/certidude/api/attrib.py b/certidude/api/attrib.py
index 0d0c50e..53465a8 100644
--- a/certidude/api/attrib.py
+++ b/certidude/api/attrib.py
@@ -15,6 +15,7 @@ class AttributeResource(object):
         Return extended attributes stored on the server.
         This not only contains tags and lease information,
         but might also contain some other sensitive information.
+        Results made available only to lease IP address.
         """
         try:
             path, buf, cert = authority.get_signed(cn)
diff --git a/tests/test_cli.py b/tests/test_cli.py
index c843866..9cc8502 100644
--- a/tests/test_cli.py
+++ b/tests/test_cli.py
@@ -245,6 +245,9 @@ def test_cli_setup_authority():
     r = client().simulate_delete("/api/request/test/",
         headers={"Authorization":admintoken})
     assert r.status_code == 200, r.text
+    r = client().simulate_delete("/api/request/nonexistant/",
+        headers={"Authorization":admintoken})
+    assert r.status_code == 404, r.text
 
     # Test request submission corner cases
     r = client().simulate_post("/api/request/",
@@ -376,6 +379,8 @@ def test_cli_setup_authority():
     # Test attribute fetching API call
     r = client().simulate_get("/api/signed/test/attr/")
     assert r.status_code == 403, r.text
+    r = client().simulate_get("/api/signed/nonexistant/attr/")
+    assert r.status_code == 404, r.text
     r = client().simulate_get("/api/signed/test/lease/", headers={"Authorization":admintoken})
     assert r.status_code == 404, r.text
 
@@ -383,9 +388,20 @@ def test_cli_setup_authority():
     r = client().simulate_post("/api/lease/",
         query_string = "client=test&address=127.0.0.1",
         headers={"Authorization":admintoken})
-    assert r.status_code == 200, r.text
+    assert r.status_code == 200, r.text # lease update ok
+    r = client().simulate_post("/api/lease/",
+        query_string = "client=test&address=127.0.0.1&serial=0",
+        headers={"Authorization":admintoken})
+    assert r.status_code == 403, r.text # invalid serial number supplied
     r = client().simulate_get("/api/signed/test/attr/")
-    assert r.status_code == 200, r.text
+    assert r.status_code == 200, r.text # read okay from own address
+    r = client().simulate_post("/api/lease/",
+        query_string = "client=test&address=1.2.3.4",
+        headers={"Authorization":admintoken})
+    assert r.status_code == 200, r.text # lease update ok
+    r = client().simulate_get("/api/signed/test/attr/")
+    assert r.status_code == 403, r.text # read failed from other address
+
 
     # Test lease retrieval
     r = client().simulate_get("/api/signed/test/lease/")