diff --git a/src/__phutil_library_map__.php b/src/__phutil_library_map__.php
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@@ -1052,6 +1052,7 @@
     'DiffusionSSHWorkflow' => 'applications/diffusion/ssh/DiffusionSSHWorkflow.php',
     'DiffusionSearchQueryConduitAPIMethod' => 'applications/diffusion/conduit/DiffusionSearchQueryConduitAPIMethod.php',
     'DiffusionServeController' => 'applications/diffusion/controller/DiffusionServeController.php',
+    'DiffusionServeControllerTestCase' => 'applications/diffusion/controller/__tests__/DiffusionServeControllerTestCase.php',
     'DiffusionServiceRef' => 'applications/diffusion/ref/DiffusionServiceRef.php',
     'DiffusionSetPasswordSettingsPanel' => 'applications/diffusion/panel/DiffusionSetPasswordSettingsPanel.php',
     'DiffusionSetupException' => 'applications/diffusion/exception/DiffusionSetupException.php',
@@ -7103,6 +7104,7 @@
     'DiffusionSSHWorkflow' => 'PhabricatorSSHWorkflow',
     'DiffusionSearchQueryConduitAPIMethod' => 'DiffusionQueryConduitAPIMethod',
     'DiffusionServeController' => 'DiffusionController',
+    'DiffusionServeControllerTestCase' => 'PhabricatorTestCase',
     'DiffusionServiceRef' => 'Phobject',
     'DiffusionSetPasswordSettingsPanel' => 'PhabricatorSettingsPanel',
     'DiffusionSetupException' => 'Exception',
diff --git a/src/applications/diffusion/controller/DiffusionServeController.php b/src/applications/diffusion/controller/DiffusionServeController.php
--- a/src/applications/diffusion/controller/DiffusionServeController.php
+++ b/src/applications/diffusion/controller/DiffusionServeController.php
@@ -183,8 +183,8 @@
     // won't prompt users who provide a username but no password otherwise.
     // See T10797 for discussion.
 
-    $have_user = strlen(idx($_SERVER, 'PHP_AUTH_USER'));
-    $have_pass = strlen(idx($_SERVER, 'PHP_AUTH_PW'));
+    $have_user = strlen(idx($_SERVER, 'PHP_AUTH_USER', ''));
+    $have_pass = strlen(idx($_SERVER, 'PHP_AUTH_PW', ''));
     if ($have_user && $have_pass) {
       $username = $_SERVER['PHP_AUTH_USER'];
       $password = new PhutilOpaqueEnvelope($_SERVER['PHP_AUTH_PW']);
diff --git a/src/applications/diffusion/controller/__tests__/DiffusionServeControllerTestCase.php b/src/applications/diffusion/controller/__tests__/DiffusionServeControllerTestCase.php
new file mode 100644
--- /dev/null
+++ b/src/applications/diffusion/controller/__tests__/DiffusionServeControllerTestCase.php
@@ -0,0 +1,21 @@
+<?php
+
+final class DiffusionServeControllerTestCase extends PhabricatorTestCase {
+  protected function getPhabricatorTestCaseConfiguration() {
+    return array(
+      self::PHABRICATOR_TESTCONFIG_BUILD_STORAGE_FIXTURES => true,
+    );
+  }
+
+  public function testHandleRequest() {
+    $aphront_request = new AphrontRequest('example.com', '/');
+    $diffusion_serve_controller = new DiffusionServeController();
+
+    $diffusion_serve_controller->setRequest($aphront_request);
+    $result = $diffusion_serve_controller->handleRequest($aphront_request);
+    $this->assertTrue(true, 'handleRequest did not throw an error');
+    $this->assertTrue($result instanceof PhabricatorVCSResponse,
+      'handleRequest() returns PhabricatorVCSResponse object');
+  }
+
+}