Security Model
Varion treats the server and official backend as the authority. Client scripts, local files, launcher state and UI state are not trusted for gameplay or production identity decisions.
Server Authority
Validate these on the server or backend:
- inventory and economy changes
- permissions and admin actions
- teleport-like movement
- health, damage and weapon actions
- entity creation and ownership (the client cannot mutate remote entities)
- resource manifests and file lists
- server identity and masterlist trust state
- cloud/early auth results
Transport Encryption
Session traffic is encrypted per connection (src/network/CNetworkManager.cpp, src/crypto/):
- key agreement — ECDH on the P-256 curve (
BCRYPT_ECDH_P256_ALGORITHM); the shared secret is run through a SHA-256 KDF into a 256-bit session key; - payload — an AES-256-GCM envelope (
PacketType::EncryptedEnvelope) per packet; - anti-replay — an 8-byte big-endian sequence is prepended to the plaintext, authenticated by GCM and checked against a sliding replay window; already-seen or out-of-window sequences are dropped.
Encryption is on by default (encryptTransport = true in include/varion.h). When it is enabled and the client offered a transport pubkey, the session is established; if encryptTransport is set but encryption cannot be established, the peer is disconnected (transport encryption required). The client refuses cleartext off-LAN; localhost/dev may stay cleartext when encryption is off. The HandshakeAck itself goes cleartext — the client only activates its session after parsing it.
Connection Gating
HandleHandshake runs a connection through a set of checks BEFORE it is marked authenticated:
protocolVersionmust match the serverPROTOCOL_VERSION;channel(branch) must match the server channel;gtaBuildmust equalSUPPORTED_GTA_BUILD;clientBuildmust be at leastminClientBuild(when it is set);- if
serverPasswordis set, the client must present a matching SHA-256 hex (constant-time compare; the password never travels, only the digest); - if
useCloudAuthandcloudAuthRequired, the client must present a non-empty cloud id and token (presence check; full backend validation is a follow-up).
Only after all checks pass is the connection marked authenticated and the player admitted. The handshake is the only packet accepted before authentication.
In addition, every peer passes through a per-peer rate limit (a windowed packet-count guard, kRatePacketCap): repeatedly exceeding the cap disconnects the peer (rate limit exceeded).
Client Integrity
Client anti-tamper (CAntiTamper) is built behind the VARION_HARDENED compile gate, which defaults to OFF (client/CMakeLists.txt). In ordinary builds it is compiled to a no-op — do not rely on client-side anti-cheat as an authority; the source of truth stays on the server.
Protected Internals
Public server developers do not need protected client internals, launcher internals, private CDN config, signing keys or platform source trees to build a server. Their stable surface is server.toml, resources/, sdk/, include/ and documented HTTP/masterlist endpoints.
HTTP File Safety
Resource file routes work on an allowlist: the server serves only files that were advertised in the manifest (after percent-decoding, the request is matched against the advertised URLs). Path traversal, absolute paths and unknown paths simply do not match any advertised entry and return 404. Declared stream/data paths containing .. or absolute/root segments are rejected at resource load time.
Client HTTP Safety
Client varion.HttpClient validates URLs before fetch:
- protocol must be
httporhttps - the default game port (
7788) is blocked - host and port must match the manifest HTTP base or asset-pack base
Local Secrets
Runtime .gitignore and package filters protect local-only files such as:
data/masterlist-token.txtdata/server-license.txt.envfiles (*.env,.env,.env.*)- logs, cache and local database files
Safe templates such as .env.example, .env.sample and .env.template are allowed.
Source Backing
This page is derived from include/varion.h, src/network/CNetworkManager.cpp, src/crypto/, client/CMakeLists.txt, tools/verify-platform-trust.ps1, the runtime .gitignore and sdk/client-js-runtime/injected/services-bootstrap.js.