We are excited to announce a new replication security feature for your experiences: Workspace.RejectCharacterDeletions. Enabling this feature will prevent client-side deletion of descendants in a player’s character from being replicated up to the server.
Opting Into Workspace.RejectCharacterDeletions
This solves an entire class of exploits related to the character, but has the potential to break existing scripts that rely on this behavior.
For this reason, we are releasing this as a “3-stage rollout” setting with the following options:
Disabled - Keep the current behavior
Enabled - Character deletions will no longer replicate from client to server
Default - Currently, this means the same as Disabled, but will switch to mean Enabled as we continue to roll this feature out
You should change this setting to Enabled as soon as possible and make any necessary script changes. This will prevent unexpected changes in behavior in the future when Default is changed.
Please let us know if you run into issues with this feature. We will actively work to make this feature compatible with as many experiences as possible.
When a player doesn’t have a character, they can delete instances under their Player object such as PlayerGui. Will this change also cause instance deletions under the Player object to not replicate while the player doesn’t have a character?
Yay, I will no longer have to sanity check if a player has a Humanoid or not!
In contrast, it appears that in a similar update, physics for dead players was recently ‘patched’ (players are now forced to server network-ownership on-death) damaging any client-side code which attemps to move players on-death. While this is likely unrelated to this roll-out, it is still deeply damaging to my experience as unlike this update, there is no opt-out for the physics anti-cheat change.
Just wanted to say - I really appreciate you guys working on this and want to say thank you for putting the effort into working on these changes, especially with how much anti-cheat work I had to put into weird behaviours around character replication in Islands.
Glad this’ll be less of an issue in future with these changes.
We’ve seen some experiences which delete the LocalPlayer’s Head or Neck to force character death on the server. Instead, you’d want to use a RemoteEvent to accomplish this.
Insecure humanoid replications have been the bane of my existence for a while as a platformer dev. This is a very welcome change, I can remove all sorts of jank code now surrounding interactions with player avatars!
This update is an absolute god-send! Gone are the days that I manually have to check for instances being removed by the client in my anti-exploit! Removal of instances would cause an invisibility glitch with the custom character rig in my game, with the anti-exploit, it fixed this issue but now the anti-exploit measure isn’t needed! Great updates so far!
WALLAHI I LOVE THIS CHANGE SO MUCH this is genuinely the best thing ever, thank you for gracing this earth with such divine information. I cant begin to explain how good this is. Thank you!!!
How will this affect games that depend on this behavior but aren’t maintained anymore? Will this remain Disabled for legacy projects so they aren’t broken?
WALLAHI I LOVE THIS CHANGE SO MUCH this is genuinely the best thing ever, thank you for gracing this earth with such divine information. I cant begin to explain how good this is. Thank you!!!