1) Workspace hackable? 2) ServerStorage vs Replicated Storage

SmeLLyArMpiTsXtra · August 19, 2020, 8:07am

Hi all.

i have a few concepts that i am having trouble understanding. I know it is good practice to not place things in client so as to prevent hacking / cheating.

I am making a zombie game so all the common parameters like health and damage are kept under a folder in workspace. If i understand correctly, workspace belongs to server so people can just change the values?
Initially i kept all the master copies of the zombies and soldiers in ServerStorage. However i see many examples where people use ReplicatedStorage. Is there a reason or it is just a preference? As before, my purpose is to prevent players from editing it.

Thank you community!

ivebeenterminated · August 19, 2020, 8:08am

ReplicatedStorage is also something a client can see.

sjr04 · August 19, 2020, 8:09am

It shouldn’t matter if exploiters can see these values. You should be using the health and damage values on the server, if you do, then when client changes these values, it is basically like inspect element. They are changing it for them but not anyone else. Things are put in ReplicatedStorage when the client needs to read stuff in there, if the client doesn’t need the stuff there, they can be put in ServerStorage

cjjdawg · August 19, 2020, 8:10am

No they cannot edit value objects under the workspace, because of filtering enabled only the client will see the change, thus if you have the server reading/setting the values it will only have the correct values.

AdjacentPhoenix · August 19, 2020, 8:13am

Only thing that is replicated to the server from the client is;

Network Ownership (Unanchored parts near the client)
Player Movement (To a certain extent, desync is possible in some cases)
Remote Firing

SmeLLyArMpiTsXtra · August 19, 2020, 8:48am

Thanks all for the reply… just to be clear, these are the master copies of npc to be spawned during gameplay. … so i guess the client needs it and it should be in ReplicatedStorage?

WaterJamesPlough · August 19, 2020, 9:01am

As said by people earlier in the thread you use ReplicatedStorage when client needs to read something from it. If you are cloning the NPCs from client side, you will need to store it in ReplicatedStorage, otherwise if everything is handled by the server, you can use Server Storage.

But keep in mind that ReplicatedStorage can be used for both Server & Client Sided Scripts.

cheetamcu · August 19, 2020, 1:30pm

The zombies items can be kept where ever you want as long as the health and damage are not controlled by remotes they cannot be changed. Additionally assuming you have guns to damage the zombies the best practice for damaging them with a remote would be to check if they player has a gun on the client and server side to not spam the gun damaging remote.

SmeLLyArMpiTsXtra · August 20, 2020, 11:56am

thanks. . quick question. If the damage script is on the weapon itself which is then equipped by the player. Is it open for hacking?

For eg ontouched humanoid take damage

cheetamcu · August 20, 2020, 3:41pm

Yes if you have it simplified enough it can be easily open to hacking like having the damage script fire a remote of the damaged humanoid, but if you were to do cordinates instead or have some kind of anti-exploitable remote instead such as having the raycast being on the server side then no they couldn’t exploit it