1 files changed, 16 insertions, 1 deletions

diff --git a/weed/s3api/s3_sse_s3_test.go b/weed/s3api/s3_sse_s3_test.go
index 391692921..dc3378ae3 100644
--- a/weed/s3api/s3_sse_s3_test.go
+++ b/weed/s3api/s3_sse_s3_test.go
@@ -630,13 +630,21 @@ func TestSSES3IsEncryptedInternal(t *testing.T) {
 			expected: false,
 		},
 		{
-			name: "Valid SSE-S3 metadata",
+			name: "Valid SSE-S3 metadata with key",
 			metadata: map[string][]byte{
 				s3_constants.AmzServerSideEncryption: []byte("AES256"),
+				s3_constants.SeaweedFSSSES3Key:       []byte("test-key-data"),
 			},
 			expected: true,
 		},
 		{
+			name: "SSE-S3 header without key (orphaned header - GitHub #7562)",
+			metadata: map[string][]byte{
+				s3_constants.AmzServerSideEncryption: []byte("AES256"),
+			},
+			expected: false, // Should not be considered encrypted without the key
+		},
+		{
 			name: "SSE-KMS metadata",
 			metadata: map[string][]byte{
 				s3_constants.AmzServerSideEncryption: []byte("aws:kms"),
@@ -650,6 +658,13 @@ func TestSSES3IsEncryptedInternal(t *testing.T) {
 			},
 			expected: false,
 		},
+		{
+			name: "Key without header",
+			metadata: map[string][]byte{
+				s3_constants.SeaweedFSSSES3Key: []byte("test-key-data"),
+			},
+			expected: false, // Need both header and key
+		},
 	}
 
 	for _, tc := range testCases {