HBM Rocket is built on the principle that the agent should never trust the network and the control plane should never log in to your site. Every interaction is signed, time bounded, and least privileged.
Per site HMAC secret
When you add a site, the control plane generates a 256 bit secret and shows it once. The agent stores it in wp_options under hbm_rocket_secret. Every outbound request signs a deterministic payload with HMAC SHA256.
Signed envelope
message = timestamp + "\n" + method + "\n" + path + "\n" + body signature = hmac_sha256(secret, message) X-Rocket-Site: example.com X-Rocket-Timestamp: 1714750000 X-Rocket-Signature: <hex digest>
Replay protection
The control plane rejects any request whose timestamp differs from server time by more than 300 seconds. The signature covers the timestamp so it cannot be reused.
Secret rotation
Rotate from the site detail page. The new secret is generated immediately. The agent fetches it on the next heartbeat (within 5 minutes by default). Older signed requests stop validating as soon as the rotation completes.
Control plane authentication
Dashboard sessions use signed JWTs in HttpOnly Secure SameSite=Lax cookies. Tokens are 7 days. Two factor authentication for the OWNER role is on the roadmap; we recommend OWNER accounts use a long passphrase from a password manager today.
What we never do
- We never request WordPress admin credentials
- We never request SFTP or SSH credentials
- We never modify your filesystem outside the plugin's own directory
- We never proxy visitor traffic
- We never read user submitted content (form posts, comments, orders)
Data residency
The HBM Rocket control plane runs in the United States. Audit JSON is stored in PostgreSQL and Cloudflare R2. The agent transmits only environment metadata (versions, theme name, server software) and audit results. No PII, no visitor data, no form submissions.
Self hosted deployment
Enterprise customers can run the entire stack in their own data center. Full deployment guide on request. Sub processors involved (Cloudflare CDN, Hostinger hosting) can be removed in a self hosted topology.