docs.sorrelhub

Docs.SH

Security Model

How Sorrel Hub protects user accounts and script delivery.

2 min read

Security Model

Security in Sorrel Hub is built around a simple principle: the backend is the only thing that matters for access decisions. The frontend and client-side code can never grant or bypass access on their own.

How Access Works

When you request a script from the loader, the backend validates everything before sending anything:

  • Your account must exist and not be banned.
  • You must have an active subscription for the requested product.
  • Your Sub ID and session must be valid.
  • Your hardware ID (HWID) must match the one bound to your account.

If any of these checks fail, the loader returns nothing. It does not fall back to a partial delivery or a demo mode. This is intentional — fail closed, not fail open.

Account Security

Two-Factor Authentication

Sorrel Hub supports authenticator-based 2FA (TOTP) for your account. You can set it up from the account dashboard.

Once enabled, login requires both your password and a code from your authenticator app.

Trusted Devices

After 2FA verification, you can mark a device as trusted for 14 days so you don't have to enter a code every login from that device. You can revoke trusted devices from your account settings at any time.

HWID Binding

Your HWID is bound to your account when you first use a product. Only scripts loaded from the bound hardware will work. You can reset your HWID from the dashboard if you change machines, subject to limits.

What the Frontend Cannot Do

The actual script payloads (Lua/Luau code) never pass through or are stored on the frontend. The frontend at sorrelhub.xyz is a static interface that communicates with the backend — it cannot read, serve, or expose script contents.

Any request that tries to bypass the backend validation layer gets denied. There is no client-side fallback.

Rate Limiting

Auth endpoints, key generation, and forum writes are rate limited on the backend. This prevents brute force and spam attacks.

Reporting Issues

If you find a security issue or vulnerability, report it through the Sorrel Hub Discord server or contact Winner directly. Do not post vulnerability details publicly.