I am currently working on a game and my remotes are under the folder in ServerStorage. I heard some things about DexExplorer (DarkDex) and I am wondering are exploiters able to access the things I mentioned in the title, cause if someone finds my remotes he/she could easily gain access to some GUI’s and in-shop items. And if can, is there a way to prevent him to do that?
2 Likes
As far as I know, there is no way for a client to touch anything stored within ServerStorage or ServerScriptService.
1 Like
It impossible unless they are hacking. I mean hacking the actual server, which is unlikely. Very unlikely.Which isn’t classed as exploiting… They can see Replicated Storage though.
4 Likes
Clients don’t have access to ServerStorage nor ServerScriptService (AKA, they can’t see stuff in there).
Putting remotes in there ain’t gonna work, because (even non-exploiting) clients can’t see that.
When using :InvokeServer(), do sanity checks to prevent exploiting.
3 Likes
No, it’s impossible.
When a client loads into your game. Only objects in the ReplicateStorage and ReplicatedFirst along with Workspace and a few other things gets transfered to the client.
Think of it like when an exploiter deletes their map in the workspace. The server doesn’t care what the client does on their end. Same as how the client can’t see what the server has not shown it.
When designing a game, hide important aspects and sensible code such as data on the server. Anything gameplay related should be put in a LocalScript to give the best experience to the player. Since it’s running on their machine and not over a network.
1 Like
Can you give me advice how to “hide” or to save my remotes?
Do sanity checks with the remotes, that’s really all you can do or use a networking module + sanity checks. That’s pretty much all you can do.
Whenever a player does a certain action that affects data, have the server add it and process the logic.
For example, if the player performs an action that earns them 20 coins, do not allow the client to send the coin amount for the server to add. Have the server process and sanity check the player’s action first. If it all checks out, add the coin amount from the server and relay the result to the player.
The player should only have “get” data remote events or functions. Do not expose any “set” data remote events or functions to the player. Keep those hidden in the ServerStorage/ServerSciptService.
4 Likes