Skip to content

Security Model

Varion treats the server and official backend as the authority. Client scripts, local files, launcher state and UI state are not trusted for gameplay or production identity decisions.

Server Authority

Validate these on the server or backend:

  • inventory and economy changes
  • permissions and admin actions
  • teleport-like movement
  • health, damage and weapon actions
  • entity creation and ownership (the client cannot mutate remote entities)
  • resource manifests and file lists
  • server identity and masterlist trust state
  • cloud/early auth results

Transport Encryption

Session traffic is encrypted per connection (src/network/CNetworkManager.cpp, src/crypto/):

  • key agreement — ECDH on the P-256 curve (BCRYPT_ECDH_P256_ALGORITHM); the shared secret is run through a SHA-256 KDF into a 256-bit session key;
  • payload — an AES-256-GCM envelope (PacketType::EncryptedEnvelope) per packet;
  • anti-replay — an 8-byte big-endian sequence is prepended to the plaintext, authenticated by GCM and checked against a sliding replay window; already-seen or out-of-window sequences are dropped.

Encryption is on by default (encryptTransport = true in include/varion.h). When it is enabled and the client offered a transport pubkey, the session is established; if encryptTransport is set but encryption cannot be established, the peer is disconnected (transport encryption required). The client refuses cleartext off-LAN; localhost/dev may stay cleartext when encryption is off. The HandshakeAck itself goes cleartext — the client only activates its session after parsing it.

Connection Gating

HandleHandshake runs a connection through a set of checks BEFORE it is marked authenticated:

  • protocolVersion must match the server PROTOCOL_VERSION;
  • channel (branch) must match the server channel;
  • gtaBuild must equal SUPPORTED_GTA_BUILD;
  • clientBuild must be at least minClientBuild (when it is set);
  • if serverPassword is set, the client must present a matching SHA-256 hex (constant-time compare; the password never travels, only the digest);
  • if useCloudAuth and cloudAuthRequired, the client must present a non-empty cloud id and token (presence check; full backend validation is a follow-up).

Only after all checks pass is the connection marked authenticated and the player admitted. The handshake is the only packet accepted before authentication.

In addition, every peer passes through a per-peer rate limit (a windowed packet-count guard, kRatePacketCap): repeatedly exceeding the cap disconnects the peer (rate limit exceeded).

Client Integrity

Client anti-tamper (CAntiTamper) is built behind the VARION_HARDENED compile gate, which defaults to OFF (client/CMakeLists.txt). In ordinary builds it is compiled to a no-op — do not rely on client-side anti-cheat as an authority; the source of truth stays on the server.

Protected Internals

Public server developers do not need protected client internals, launcher internals, private CDN config, signing keys or platform source trees to build a server. Their stable surface is server.toml, resources/, sdk/, include/ and documented HTTP/masterlist endpoints.

HTTP File Safety

Resource file routes work on an allowlist: the server serves only files that were advertised in the manifest (after percent-decoding, the request is matched against the advertised URLs). Path traversal, absolute paths and unknown paths simply do not match any advertised entry and return 404. Declared stream/data paths containing .. or absolute/root segments are rejected at resource load time.

Client HTTP Safety

Client varion.HttpClient validates URLs before fetch:

  • protocol must be http or https
  • the default game port (7788) is blocked
  • host and port must match the manifest HTTP base or asset-pack base

Local Secrets

Runtime .gitignore and package filters protect local-only files such as:

  • data/masterlist-token.txt
  • data/server-license.txt
  • .env files (*.env, .env, .env.*)
  • logs, cache and local database files

Safe templates such as .env.example, .env.sample and .env.template are allowed.

Source Backing

This page is derived from include/varion.h, src/network/CNetworkManager.cpp, src/crypto/, client/CMakeLists.txt, tools/verify-platform-trust.ps1, the runtime .gitignore and sdk/client-js-runtime/injected/services-bootstrap.js.

Varion Multiplayer Platform