Best way to secure your code without paying for it

Thanks! I’ll be looking into this option.

2 Likes

You should note that everything on repl.it is public unless you pay for private repos

3 Likes

What about something like netlify?

2 Likes

I’ve never heard of it personally so I wouldn’t be able to comment.

3 Likes

What I use and recommend is Glitch.
It’s a built-in code editor and it hosts for you. You can make your Project private, and the address will be at <your project name>.glitch.me. Though Projects in Glitch go offline after some time, so that’s why you should also use UptimeRobot which pings a URL you put every 5 (or more) minutes. All of this is for free
Hope this helps!

2 Likes

I like the answer that @congrajhulashions wrote; however, I’d like to go into more detail on how I did a similar thing, but far more secure.

First off, I’d like to say that it doesn’t matter which side of the third-party module debate you were, a solution to private code is needed, and always will be.

For hosting, I highly recommend Firebase, it scales automatically and does much of the work for you.

Just like @congrajhulashions said, pretty much the best way, without it getting really complicated, is to download the code from your server. Now, this is where stuff gets messy if not appropriately secured. This is where the Roblox API comes in! Now, when you connect to a Roblox server, you need its IP. Otherwise, how do you connect to it?

Roblox has an API for joining a server. If used right, this API will return the IP of the server that you put in the request. Compare that to the IP of the request and you know if that request is from a real Roblox server (after taking measures to prevent IP spoofing). Awesome, right? Now, I’m not going to spoon feed you this API, but I’ll point you in the right direction.

Once you know that the request is really from Roblox, you can check your whitelist to see if that place (or owner) is supposed to use your script. If so, send the script to the game. Here there are things you can do to secure it more, but once again, I’m not here to spoon feed you.

Once the game receives the script, you can run it either using the official Roblox loadstring, or a custom one. The official loadstring will probably be more reliable and faster; however, using a custom one means that the game doesn’t need to have loadstring enabled. I use the one from that is inside the Adonis module (search up Adonis in the toolbox to get the main module and then take the Loadstring module from it).

I am currently working on a site called the Marketplace. It can do everything mentioned above and far more. You can read more about it here and here.

Good luck with your project!

4 Likes

Hello! :slight_smile: Here’s the thing, we don’t hide the module. We don’t do anything suspicious, so we allow our users to take our module, and modify it, at their expense. If they do, they won’t receive updates. Really, there is no way to hide modules anymore sadly, I hope that Roblox will end up doing something to either A:) put private modules back into play, or B:) add another way to hide code from users, while it also being moderated.

2 Likes

Hey, be careful using loadstring for one, two code on your server can still be stolen sadly, your best bet is just installing the code in the games and praying to the lord no one stills it, you’re just going to have to trust your users sadly. I would tell you to go to Digital Ocean, it’s far cheaper and better in the long run. If you use firebase IP spoofing is going to be as easy as pie, so don’t be behind a proxy, and NEVER, EVER trust a client or anyone.

Sorry, these are all things I have learned in the past, and I hope these can help you in the future.

2 Likes

I was telling him the most basic way I knew to do it. Personally, most of my products code runs on my server, meaning it is never even sent to the game. This makes leaking the code impossible, aside from tiny snippets.

Also, you can’t “trust your users”. My users can be anyone.

2 Likes

Exactly, you can’t trust anyone… In this case the user @wayIxn is unable to 1:) afford a server 2:) understand how to create a web server
So their best bet is just to install it for the user under a terms, or just give it away :frowning:

2 Likes

“code on the server can still be stolen sadly”

Can you clarify on this? I’m not aware of any methods that allows a user to read or write server code.

2 Likes

I’m talking about their method where they are sending the Roblox LUA to the game server, and running it. You can easaly spoof as a roblox game, i.e I did it for marketplaces API.

1 Like

In the end I just obfuscated the code and made it very clear that I did so.

Remember, obfuscation can be undone in minutes. Hope it works out for you, also please respond to my message :slight_smile:

Afaik no one would like to unobfuscate a simple 100 line script obfuscated with synapse xen and alrighty. :slight_smile:

code is easy to unobsufcate, and all it does is make it harder to read. it can be made easier to read with just a little bit of context and time.

1 Like

@sloss2003
Not sure where you came of the belief that server-side code can be stolen, because it cannot. Outside of people who directly have access to your Team-Create your server-side code is completely safe.

@congrajhulashions
Once again as I said above - what you’re doing is totally unnecessary? Your server-side code is completely safe from the client. There is no way to access it so why in the world would you loadstring it? In-fact if anything you’re actually making your game less secure to backdoors because you’re allowing for the possibility of loadstrings directly from the client.

TLDR;

  • You do not need to ‘hide’ or ‘protect’ your server-side code from prying eyes. They have no access to your server scripts outside of remote-events which do not return anything unless you tell them to.
  • Using HTTP-Service to load all of your scripts is really bad practice - and doesn’t offer you more security. It offers you less, as backdoors commonly target the loadstring property.
1 Like

I never said that? I am saying that web apis that send code to the server can be stolen. There is no surefire way to authenticate a game is a game.

“two code on your server can still be stolen sadly”

Seems like you may have just awkwardly worded your point, my bad for jumping to a conclusion. But yeah, no one should be under the assumption that server-side code is insecure to people who don’t already have a back-door in your game due to developer negligence.

So the HTTP method is just incorrect period cause it trys to solve a non-problem.

2 Likes

Yeah, my fault. Sorry! I was stressed out, just released myCenter v4!