diff --git a/core/test/unit/web/api/v2/content/middleware_spec.js b/core/test/unit/web/api/v2/content/middleware_spec.js
new file mode 100644
index 0000000000..a25001473d
--- /dev/null
+++ b/core/test/unit/web/api/v2/content/middleware_spec.js
@@ -0,0 +1,17 @@
+const should = require('should');
+const middleware = require('../../../../../../server/web/api/v2/content/middleware');
+
+describe('Content Api v2 middleware', function () {
+    it('exports an authenticatePublic middleware', function () {
+        should.exist(middleware.authenticatePublic);
+    });
+
+    describe('authenticatePublic', function () {
+        it('uses brute content api middleware as the first middleware in the chain', function () {
+            const firstMiddleware = middleware.authenticatePublic[0];
+            const brute = require('../../../../../../server/web/shared/middlewares/brute');
+
+            should.equal(firstMiddleware, brute.contentApiKey);
+        });
+    });
+});
diff --git a/core/test/unit/web/shared/middleware/api/spam-prevention_spec.js b/core/test/unit/web/shared/middleware/api/spam-prevention_spec.js
new file mode 100644
index 0000000000..3e77e45005
--- /dev/null
+++ b/core/test/unit/web/shared/middleware/api/spam-prevention_spec.js
@@ -0,0 +1,17 @@
+const should = require('should');
+const spamPrevention = require('../../../../../../server/web/shared/middlewares/api/spam-prevention');
+
+describe('Spam Prevention', function () {
+    it('exports a contentApiKey method', function () {
+        should.equal(typeof spamPrevention.contentApiKey, 'function');
+    });
+
+    describe('contentApiKey method', function () {
+        it('returns an instance of express-brute', function () {
+            const ExpressBrute = require('express-brute');
+            const result = spamPrevention.contentApiKey();
+
+            should.equal(result instanceof ExpressBrute, true);
+        });
+    });
+});
diff --git a/core/test/unit/web/shared/middleware/brute_spec.js b/core/test/unit/web/shared/middleware/brute_spec.js
new file mode 100644
index 0000000000..9cc6ce12b4
--- /dev/null
+++ b/core/test/unit/web/shared/middleware/brute_spec.js
@@ -0,0 +1,27 @@
+const should = require('should');
+const sinon = require('sinon');
+const brute = require('../../../../../server/web/shared/middlewares/brute');
+
+describe('brute middleware', function () {
+    it('exports a contentApiKey method', function () {
+        should.equal(typeof brute.contentApiKey, 'function');
+    });
+
+    describe('contentApiKey', function () {
+        it('calls the contentApiKey method of spam prevention', function () {
+            const spamPrevention = require('../../../../../server/web/shared/middlewares/api/spam-prevention');
+            const contentApiKeyStub = sinon.stub(spamPrevention, 'contentApiKey');
+
+            // CASE: we don't care about what params it takes
+            // just whether it calls the spam prevention stuff
+            try {
+                brute.contentApiKey();
+            } catch (err) {
+                // I don't care
+            } finally {
+                should.equal(contentApiKeyStub.called, true);
+                contentApiKeyStub.reset();
+            }
+        });
+    });
+});