I want to know if there is a way your web host can know the PlaceId of the place it got a POST request from, without explicitly saying it in the sent POST data. This is for security reasons on my SQL.
I found a way to get the IP of the Roblox server that’s sending the POST request, (it’s the usual 196.168.1.1 when playing locally). But I’m not sure of the significance of it and how I can use it to know the ID of the place.
If anyone has a clue, let me know!!
HttpService automatically sends the roblox-id header in every request, however, it’s not possible to verify that it’s actually correct.
Unfortunately as far as I am aware there is no way to do this other than sending requests with it explicitly stated in the request.
As a matter of interest, what are you worried about in terms of security?
Is there no way to make sure a request came from a Roblox server?
If RequestAsync lets you set the roblox-id header (or any other HttpService function) then that seems like a huge flaw and should be fixed. There’s no reason anyone should have ever been setting it outside of malicious intentions, so backwards compatibility can’t be an issue.
Don’t forget that other programs can send HTTP requests too. Also, no, it’s not realistically possible to verify without authenticating.
If you want security you should use either a shared secret (simple) or some kind of authentication protocol (less simple). Headers can be easily forged.
best way to do it is to check against the roblox-id header automatically appended by Roblox, and add some sort of API key system to your server to verify requests are legitimate
I was literally about to make a post about this exact need. For me, the reason I’d need it for security is because I am making an automated group ranking system and, from experience, if an exploiter manages to get access to the script that handles the requests then they can quite easily fake a request using something like postman. This allows them to rank themselves, or someone else, inside the group and gives them a huge amount of power.
Adding to my last reply, using a shared secret (like a password) as authentication is really insecure because, like I said before, most exploiters can easily find the password and then create fake requests.
You don’t make http requests from the client, you make them from the server, which exploiters can’t access when playing your game. You’d give every place a unique shared secret for that place. The external server deduces place information from shared secret. It’s not “really insecure”, that’s an inaccurate exaggeration. Of course a proper authentication protocol is always better (this is what I was already implying in the previous post).
Good point, but even in large groups that have secure systems like that in place, they usually get leaked, but this is possibly due to a developer of the game leaking it themselves, for whatever reason.
Yeah, shared secrets are meant to be kept secret. If you share them with third parties, they’re obviously not shared secrets anymore, and all bets are off.
Yeah. How would you recommend creating a more advanced authentication system?
EDIT: Do you know any tutorials or something, even if they aren’t meant for Roblox specifically.
You could store half of the shared secret in DataStores, so if a developer leaks the game file (or if server scripts are stolen through a rare exploit like we saw a while back), malicious users with the place file still can’t authenticate to your endpoint. And if someone gets server script execution privileges (e.g. backdoor in third-party code), they still don’t have the full key (half is in script source somewhere).
This aside, not sure how you get more advanced than that. Malicious users can do anything you can with request headers, so the only sort of way you can secure the request is with a secret key. Naturally, this key has to be accessible from your game so that it can use it.
Thats actually a really good idea, I’ll probably use that and another authentication method along side it.I’m looking at somehow using Auth0 and passport, or something similar.
Auth0/etc aren’t going to help you. You still need to store credentials to access Auth0 in your game so your scripts can access Auth0, so it’s no better than a secret key.
Okay, thanks for the heads up!
Security is not as big of an issue on the Server side in modules, as it’s way easier to exploit the client. It is currently very hard to steal modules if someone tried. I have an auto promotion bot running for a 300k+ member group, as well as an automatic funding course for group uniforms. While I do have take good precautions, it’s doing fine.
EDIT: Whoops replied to wrong person, mobile.
That statement right there would get your entire web server compromised, don’t listen to that.
I see that my phrasing was wrong here, what I meant to say was that it’s infact way harder to find vulnerabilities in the server than it is to find them in the client. I have rephrased my reply so its easier to interpet.
Also, as a general thing if you have all of the security roblox-side, you are doing something wrong. It is expected that you have security both sides, Server and Roblox. This can be done by sending a key that is required in the Body of every request, and the key can be stored in the DataStore service, as Echo said.