In my efforts to implement anti exploiter tactics in a game I’m making, I’ve been needing a way to be able to spawn in map areas for clients as needed via the server without storing them in a place where exploiters can simply go in and copy and paste them into Workspace as accessing these map areas is part of game progression. My current method that I would consider to be only sort of secure is when the player firsts joins, a script on the client sets the parent of the map areas to nil so that they’re still loaded on the client side but players can’t see/interact with them. The problem with method is, as far as I’m aware, exploiters are able to find unparented instances and access them that way, in this case reparenting them to Workspace.
I’ve seen a method where the server copies an instance over to ReplicatedStorage, sends a reference to that instance to the client, where the client reparents it/copies it, after which the server removes it from ReplicatedStorage. My concern with this is that an exploiter could have a script running that looks for those instances being parented to ReplicatedStorage and just copy them that way.
A method that I found that, in all honesty is almost too good to be true as it basically works exactly as I need, is to have the map areas stored in ServerStorage where once the server knows that the player has met the requirements it will clone the map section into the clients PlayerGui where the client will then parent it into Workspace. On the server side, the map section will appear to remain in the clients PlayerGui while on the client side it will be in Workspace where they can see and interact with it. Interestingly, even if the map section parented directly to PlayerGui and not a ScreenGui with ResetOnSpawn set to true, if the player dies and respawns the map section will be removed from both client and server side. Though if parented to a ScreenGui with ResetOnSpawn set to false then it will remain on both client and server side.
Now, here’s my concern. I have enough game developer experience to know that this is somewhat of a hacky method of going about it. Given that these are entire map areas and not just a couple of parts or other instances, I’m concerned about potential server side lag. Movement of parts, particle effects, etc are done on the client side, however. While the notably largest of these areas is the last one, and I personally doubt most people would even play long enough to reach it, it does has a total instance count of 10109 (2500+ of those are BasePart instances). The next largest map area is about half way through and has about 1900 instances. Having the server potentially handling more than one of even the smaller count one I mentioned at a time, either cloning it to parent or destroying it when needed, would more likely than not cause notable lag.
Another thing I would be concerned with is some sort of memory leaking. I’m not sure as to why the map areas, or any BasePart instance, gets deleted when parented directly to PlayerGui when the player respawns so I’m weary of, this being the hacky method that it is, causing some notable memory leaks or something.
What potential problems could I face if I choose to use this method and what improvements could I make to this method?
Any thoughts and opinions on how to improve on this, or concerns I’ve not thought of, would be appreciated.