A client-side Minecraft mod that provides protection against client fingerprinting, tracking exploits, and other privacy focused features.
Warning
This is a passion project mostly built with AI. Everything is tested but don't rely on this for actual security. If you want something proven, use ExploitPreventer (See EP Compatibility and Meteor Client notes). OpSec just tries to offer more features and interactive customization on top of the basics.
- Brand Spoofing - Change client brand name to Vanilla, Fabric, or Forge
- Channel Spoofing - Hide or fake mod channels to prevent mod detection
- Isolate Pack Cache - Isolate resource packs per-account to prevent tracking
- Block Local URLs - Block resource pack redirects to local/private addresses
- Key Resolution Protection - Protect against key resolution mod detection in any server packet
- Meteor Fix - Disable Meteor Client's broken key resolution protection
- Mod Whitelist - Automatically or manually exempt mods from channel spoofing and key resolution protection
- Chat Signing Control - Configure chat message signing behavior
- Account Manager - Switch between Minecraft accounts using session tokens
- Telemetry Blocking - Disable data collection sent to Mojang
If you're interested in servers or plugins that are using tracking related exploits then look in the Hall of Shame.
- Minecraft 1.21.1 – 26.1
- Fabric Loader 0.16.0+ (0.18.4+ for MC 26.1)
- Fabric API (matching your Minecraft version)
- Install Fabric Loader for your Minecraft version
- Download the latest Fabric API for your Minecraft version
- Download the latest
opsec-[minecraft_version]+[version].jarfrom the Releases page - Place both mods in your
.minecraft/modsfolder - Launch Minecraft
The settings menu is accessible via the OpSec button in the multiplayer server selection menu header or via Mod Menu.
If settings are changed while connected to a server it is recommended to reconnect to the server to ensure changes are applied.
| Setting | Description |
|---|---|
| Spoof Brand | Enable/disable brand spoofing |
| Brand Type | Select which brand to appear as (Vanilla/Fabric/Forge) |
| Spoof Channels | Enable/disable channel spoofing |
| Setting | Description |
|---|---|
| Isolate Pack Cache | Enable/disable cache isolation |
| Block Local Pack URLs | Enable/disable local URL blocking |
| Clear Cache | Delete all cached server resource packs |
| Key Resolution Spoofing | Enable/disable key resolution protection |
| Fake Default Keybinds | Return default vanilla keybind values instead of actual bindings |
| Meteor Fix | Disable Meteor Client's broken key resolution protection (only shown when Meteor is installed) |
| Signing Mode | Configure chat signing behavior: • OFF: Strip signatures (maximum privacy) • ON: Default Minecraft behavior • AUTO: Only sign when required (recommended) |
| Disable Telemetry | Enable/disable telemetry blocking |
| Setting | Description |
|---|---|
| Whitelist Mode | Select whitelist behavior: • OFF: All mod content blocked • AUTO: Mods with network channels are automatically whitelisted (default) • CUSTOM: Manually select which mods to whitelist |
| Installed Mods | Toggle individual mods ON/OFF to exempt them from protection (CUSTOM mode only) |
| Setting | Description |
|---|---|
| Show Alerts | Display chat messages when tracking is detected |
| Show Toasts | Display popup notifications for important events |
| Log Detections | Log all detection events to game log for transparency |
| Setting | Description |
|---|---|
| Saved Accounts | List of added accounts with login/logout and remove buttons |
| Refresh All | Revalidate all account tokens (invalid tokens marked red) |
| Add Session Token | Add a new account using a session (access) token |
| Import | Import accounts from a JSON file |
| Export | Export accounts to a JSON file |
Use /opsec in-game to access debug information:
| Command | Description |
|---|---|
/opsec |
Show available commands |
/opsec info |
Show overview of all tracked mods |
/opsec info <mod> |
Show details for a specific mod (translation keys, key-bind key, channels) |
/opsec channels |
Show all tracked network channels with whitelist status |
- Key Resolution Exploit Detected: Server is probing your keybind
- Resource Pack Fingerprinting Detected: Suspicious resource pack URL detected
- Local URL Scan Detected: Resource pack redirect targeted a local/private address
Servers can query your client brand to detect whether you're running a modded client. OpSec intercepts the brand packet and replaces it with your chosen brand:
- Vanilla - Appear as an unmodified Minecraft client
- Fabric - Appear as a standard Fabric client (default)
- Forge - Appear as a Forge client
The brand setting also determines how Channel Spoofing and Key Resolution Protection behave for each mode.
Important
Server plugins like AntiSpoof can detect the discrepancy between the client brand name and mod channels and flag clients for spoofing if Channel Spoofing wasn't enabled.
Based on LiquidBounce.
Server-required resource packs could be used to fingerprint client instance across accounts.
https://alaggydev.github.io/posts/cytooxien/
Instead of storing all resource packs in a shared cache (~/.minecraft/downloads/), OpSec creates separate cache directories for each account UUID.
Taken from ExploitPreventer by NikOverFlow
Malicious servers can send resource pack URLs that redirect to your local network to probe for devices and services.
https://alaggydev.github.io/posts/cytooxien/
OpSec manually follows HTTP redirects (300-303, 305, 307) and checks each hop for local/private addresses using DNS resolution. If a redirect targets a local address, the connection is blocked. This also handles HTTP 305 proxy redirect attacks by injecting the correct Host header to prevent header leakage. Protection is automatically skipped when connected to a local server.
Servers can send translatable text containing keys like key.attack or key.hide_icons in any server packet to probe which keys you have bound or mod UI elements your client can resolve. This can reveal the client's installed mods.
https://wurst.wiki/sign_translation_vulnerability
OpSec tracks when translation keys are being resolved during server packet processing and blocks Minecraft from resolving them based on your selected brand mode:
- Vanilla mode: Blocks all mod keys, returns default keybind values for vanilla keys
- Fabric mode: Allows Fabric API keys and whitelisted mod keys, blocks everything else
- Forge mode: Returns fabricated Forge/FML key resolution values (e.g.,
fml.menu.mods→"Mods"), blocks other mod keys
When Fake Default Keybinds is disabled, vanilla keybinds resolve to their actual values.
Spoofing mod keybinds (Returns raw keys/fallback value instead of keybind values):
[key.meteor-client.open-commands] '.'→'key.meteor-client.open-commands'
[key.meteor-client.open-gui] 'Right Shift'→'key.meteor-client.open-gui'
Spoofing vanilla keybinds with Fake Default Keybinds enabled (Returns default keybinds):
[key.hotbar.6] 'Q'→'6'
[key.hotbar.7] 'E'→'7'
[key.hotbar.8] 'R'→'8'
Forge mode fabrication (Returns fake Forge values):
[fml.menu.mods] 'fml.menu.mods'→'Mods'
[forge.configgui.forgeCloudsEnabled] 'forge.configgui.forgeCloudsEnabled'→'Use Forge cloud renderer'
Meteor client has their own key protection implementation which can lead to a guaranteed detection with the key resolution exploit.
Sometimes the server uses a fallback value so that instead of expecting the raw key from a Vanilla client its expecting the fallback value instead.
Key doesn't exist → returns fallbackvalue
Meteor's key spoofing implementation:
1. When the server sends a sign with {"translate":"key.meteor-client.open-gui", "fallback":"⟦FALLBACK⟧"}:
2. Meteor intercepts during AbstractSignEditScreen constructor
3. Detects "meteor-client" in the key
4. REPLACES the TranslatableTextContent with PlainTextContent.Literal("key.meteor-client.open-gui") to prevent Minecraft from resolving it to key bind values
When the server uses a sign exploit with fallback value on Meteor Client:
'key.meteor-client.open-gui' 'Right Shift'→'key.meteor-client.open-gui'
What a Vanilla response would actaully be:
'key.meteor-client.open-gui' '⟦FALLBACK⟧'→'⟦FALLBACK⟧'
OpSec's bandaid fix for Meteor is to blacklist the AbstractSignEditScreenMixin Mixin to disable Meteor's broken key resolution protection. Allowing OpSec's protection to take over, which already handle fallbacks correctly to match the Vanilla response.
For users that prefers ExploitPreventer's core protection implementation but still need OpSec's additional features, both can be installed alongside each other. Overlapping features are automatically disabled to let EP handle them, note that you would lose OpSec features such as channels spoofing. The following OpSec features are deferred to EP:
- Brand Spoofing
- Channel Spoofing
- Isolate Pack Cache
- Block Local URLs
- Key Resolution Protection
- Mod Whitelist
These settings are grayed out in the config screen but your saved preferences are preserved. If you remove EP later, they restore automatically.
Features that don't overlap remain fully functional: alerts, chat signing, account manager, telemetry blocking, and Meteor Fix.
If you use Meteor Client with EP but without OpSec, you need a Meteor build that fixes the faulty sign translation protection such as NikOverflow's patched build which removes the broken sign protection.
If you use continued to use OpSec, this is handled automatically by Meteor Fix regardless of Meteor version.
Servers can query your registered network channels to detect which mods you have installed.
When enabled, OpSec spoofs mod channels that are registered with the server based on your selected brand:
- Vanilla mode: Blocks ALL mod channels (pure vanilla client)
- Fabric mode: Only allows Fabric API channels and whitelisted mods, blocks other mods
- Forge mode: Imitate Forge channels, blocks all mod channels
Warning
May break server-dependent mod(s) if not whitelisted. Use the Mod Whitelist to exempt specific mods like VoiceChat or disable channel spoofing.
Some mods require server communication to function properly (e.g., VoiceChat, Xaero's Minimap waypoint sharing). The whitelist allows you to exempt specific mods from channel spoofing and key resolution protection.
Modes:
- OFF: All mod content is blocked
- AUTO (default): Mods that register network channels are automatically whitelisted as they are the most likely to have server-side functionalities
- CUSTOM: Manually select which mods to whitelist from the installed mod list
When the whitelist is active (AUTO or CUSTOM):
- Brand is forced to Fabric since you are revealing Fabric mods
- Whitelisted mods can register their channels and translation keys normally
- Non-whitelisted mods remain hidden from the server
Note
Only mods that register network channels, translatable keys and keybind keys are shown in the whitelist.
Based on No Chat Reports.
Cryptographic signatures by default are attached to every chat messages. Removing them makes it impossible to track and associate your chat messages with your Minecraft client, and, by extension, Microsoft account.
Modes:
- OFF: Strip all chat signatures, but prevents you from chatting in servers that enforces secure chat.
- Auto: Only sign messages when the server enforces secure chat.
- ON: Default Minecraft behavior, signs every messages.
Based on Meteor Client.
Add Minecraft accounts with session tokens and switch between them without restarting the game.
- Session Token Login - Add accounts using access tokens
- Refresh Token - Fetch new session tokens for expired accounts
- Offline Account - Add username-only accounts without authentication
- Account Switching - Click an account to login, click again to logout to original account
- Token Validation - Refresh to check if tokens are still valid (expired tokens marked red)
- Import/Export - Backup and restore accounts via JSON files
Note
Session tokens expire after some time. Use the Refresh button to check validity.
From No Chat Reports.
Minecraft collects and sends telemetry data to Mojang, including:
- Game events and player actions
- Performance metrics
- Client configuration
- Usage statistics
OpSec blocks telemetry sending to Mojang when telemetry blocking is enabled. Does not effect gameplay.
- Java 25
- Gradle (included via wrapper)
-
Clone the repository
git clone https://github.com/aurickk/OpSec.git cd OpSec -
Build all versions
# Windows .\gradlew.bat build # Linux/Mac ./gradlew build
-
Build a specific version
# Build for a specific version ./gradlew :1.21.4:build ./gradlew :1.21.11:build ./gradlew :26.1:build
Output JARs are located in versions/<minecraft_version>/build/libs/:
| Build Version | Supports |
|---|---|
| 1.21.1 | 1.21 – 1.21.1 |
| 1.21.4 | 1.21.2 – 1.21.5 |
| 1.21.6 | 1.21.6 – 1.21.8 |
| 1.21.9 | 1.21.9 – 1.21.10 |
| 1.21.11 | 1.21.11 |
| 26.1 | 26.1 |
- ExploitPreventer - Local URL blocking and server key resolution protection anti-measures
- LiquidBounce - Cached server resource pack isolation
- Meteor Client - Session token sign in
- No Chat Reports - Chat signing control and telemetry blocking
- No Prying Eyes - Secure chat enforcement detection
- MixinSquared - Mixin cancellation for Meteor Fix
- Stonecutter - Multi-version build system
- Forge - Forge translation and keybind keys
- Fabric API - Fabric translation and keybind keys
OpSec is a privacy tool designed to protect players from unwanted client fingerprinting and tracking. It is not intended or encouraged for use in bypassing server rules, evading bans, or gaining unfair advantages. Users are responsible for complying with the rules and terms of service of any server they connect to.