How can I defend my remoteEvent?

raincoat_Ubi · October 9, 2023, 1:58am

Is it enough for doing everything on server? Or do I need to add other things such as Cooltimes?

SubtotalAnt8185 · October 9, 2023, 2:01am

Yes, you should definitely prevent people from firing it too often. Try doing this on both the client and server if you can.

Make sure the data the client sends is also accurate.

Skidouski · October 9, 2023, 5:09am

On the client its not as dangerous because its only 1 person and the server controls what events gets fired to the client. I would only advise doing it on the server because clients can inject scripts that can spam remote events or remote functions and this can be dangerous. Just always have the mindset that the client can fire any amount of times and pass malicious arguments to the server, always sanitize the input data from the client and I have a cooldown script which I check if the remote fired is in cooldown. I only use 1 remotevent for my games and the client passes a string argument for what task the client wants the server to do. I like to structure my remotes kind of like an API, so in the dict “requestCallCooldown” You write the name of the event, and then you write time in seconds for how long you want the remote to be cooldowned after being received by the server. If you don’t insert anything it will by default have no cooldown, meaning the client can fire the event as many times as it wants. Make sure the structure your client scripts in a way to handle the server rejecting the clients request like lets say the client tries to eat an item, then make it so that if the server rejects that request then don’t allow the client to eat.

local requestCallCooldown = {
	consumeItem = 1.5
}
local cooldownData = {}
local function handleRequest(Player, Parameters)
	local eventType = Parameters.EventType
	Parameters.Player = Player
	local CooldownTime = requestCallCooldown[eventType]
	if CooldownTime then
		if CooldownTime > 0 then
			local CooldownUnix = tick() + CooldownTime
			if cooldownData[eventType] then
				if cooldownData[eventType][Player.Name] then
					if cooldownData[eventType][Player.Name] <= tick() then
						cooldownData[eventType][Player.Name] = CooldownUnix
					else
						return 404
					end
				else
					cooldownData[eventType][Player.Name] = CooldownUnix
				end
			else
				cooldownData[eventType] = {}
				cooldownData[eventType][Player.Name] = CooldownUnix
			end
		end
	end
	local resData = remoteEvents.runEvent(eventType, Parameters)
	return resData
end

Skidouski · October 9, 2023, 5:14am

Oh, I thought you meant like having cooldowns from the server sending remotevents to the client that is not neccesary. But having a cooldown on the client itself is a very good idea to save network traffic. So add a cooldown on the client and server is a good idea.

Kyl3ST · October 9, 2023, 6:31am

tbh with you there is not “best” way to protect a remoteevent , the way to do it will be different from games to game and devs to devs , but what almost all will prob tell would be “add a cap to how much you can fire the remoteevent” or “add a check on the server sided that check if the player has meet the requirement to fire the event and then accept the remote event” but as i told it will just depends of the game .

system · October 23, 2023, 6:32am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.