HBMHBM Rocket
ALL DOCS
DOCUMENTATION

Security model

7 MIN READ

HBM Rocket is built on the principle that the agent should never trust the network and the control plane should never log in to your site. Every interaction is signed, time bounded, and least privileged.

Per site HMAC secret

When you add a site, the control plane generates a 256 bit secret and shows it once. The agent stores it in wp_options under hbm_rocket_secret. Every outbound request signs a deterministic payload with HMAC SHA256.

Signed envelope

message = timestamp + "\n" + method + "\n" + path + "\n" + body
signature = hmac_sha256(secret, message)

X-Rocket-Site: example.com
X-Rocket-Timestamp: 1714750000
X-Rocket-Signature: <hex digest>

Replay protection

The control plane rejects any request whose timestamp differs from server time by more than 300 seconds. The signature covers the timestamp so it cannot be reused.

Secret rotation

Rotate from the site detail page. The new secret is generated immediately. The agent fetches it on the next heartbeat (within 5 minutes by default). Older signed requests stop validating as soon as the rotation completes.

If you suspect compromise, rotate and immediately purge the old secret from worker memory. Contact us and we can force expire active connections.

Control plane authentication

Dashboard sessions use signed JWTs in HttpOnly Secure SameSite=Lax cookies. Tokens are 7 days. Two factor authentication for the OWNER role is on the roadmap; we recommend OWNER accounts use a long passphrase from a password manager today.

What we never do

  • We never request WordPress admin credentials
  • We never request SFTP or SSH credentials
  • We never modify your filesystem outside the plugin's own directory
  • We never proxy visitor traffic
  • We never read user submitted content (form posts, comments, orders)

Data residency

The HBM Rocket control plane runs in the United States. Audit JSON is stored in PostgreSQL and Cloudflare R2. The agent transmits only environment metadata (versions, theme name, server software) and audit results. No PII, no visitor data, no form submissions.

Self hosted deployment

Enterprise customers can run the entire stack in their own data center. Full deployment guide on request. Sub processors involved (Cloudflare CDN, Hostinger hosting) can be removed in a self hosted topology.

Security model | HBM Rocket