Multiplayer game security tests failing

Tell us what’s happening: Alright so I’ve been getting from this boilerplate issues accessing from the browser.

The app works fine on my machine and all the functional tests are passing but when I try to submit the challenge on the portal the last 4 criteria all fail.

More specifically the following :
Prevent the client from trying to guess / sniff the MIME type.
Prevent cross-site scripting (XSS) attacks.
Nothing from the website is cached in the client.
The headers say that the site is powered by “PHP 7.4.3” even though it isn’t (as a security measure).

Which correspond to the four functional tests that are all passing.

I have also noted that the boiler plate itself doesn’t seem to be working on repl hosting. I tried to diagnose the issue and to play around with cors and CSP without luck

I am therefore stuck unable to complete this challenge thinking I must not have been the only person affected by this and yet I cannot find any information on the topic…

Am I missing something?

Once again a massive Thank You to whoever takes the time to read and answer this

Your project link(s) :


Your browser information:

User Agent is: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36.

Challenge: Secure Real Time Multiplayer Game

Link to the challenge:

Just came across the same problem as you. When I run npm run test from the server it shows that all tests are passing, yet when I enter the it on the challenge page it fails. It appears to be an issue on fcc’s side. To test this out, I intentionally failed this task ( and others ):

Players can use the WASD and/or arrow keys to move their avatar. Complete the movePlayer method in Player.mjs to implement this.

by changing up the keys, and on the challenge page it still shows it passes the test. May need to submit a bug report…

Hey! Thanks for your reply!

I guess I found it hard to believe that I might be the only one and was looking for some validation regarding whether or not I am missing something!

Are you submitting the bug or am I in this case?

Hello there,

Please note: Not all tests have been written for some of the backend projects. They are awaiting contribution. So, if you are interested in contributing by writing the tests, feel free to. Secure Real Time Multiplayer Project Tests · Issue #40877 · freeCodeCamp/freeCodeCamp (

Hope this clarifies

1 Like

Alright I’m going to get to it then and see if I can figure it out!

Thanks! I just completed everything and am looking on gathering a bit more experience so that is good to know!

Hello there :grinning: ,
So if I understand correctly we cannot currently pass this project ? Is there any way to bypass these 4 tests if they are broken ?
Because given solution passes these 4 tests.
Thx !


I have finally taken the time and found what I believe is the issue.

The boiler plate doesn’t come with CORS enabled on the server side as the other projects does as it is required for testing.

If you simply add cors by editing the server.js file to add:

 const cors = require('cors');

At the end of the import section and

   app.use(cors({origin: '*'})); 

following the line :

  app.use(bodyParser.urlencoded({ extended: true }));

I believe you will get it to work.

I have also just submitted the changes to the boilerplate making a pull requests following the advice given by Sky020 that can be found at the following (My very first pull request so feel free to give feedback):

Let me know if it works for you!


Working for me :wink:
Thanks a lot !

This works for me. Thanks a lot!

This solution worked perfect!