I use some scripts in the workspace for ClickDetectors and such, are these secure or can clients see and edit them? Should I switch to using RemoteEvents to run the actions contained inside the Scripts?
The contents of regular Scripts (not LocalScripts) are never replicated to the client.
Depends. As @Deferend said, the contents of Scripts are never replicated. However, in my opinion events are the most secure method of server and client communication
Realistically you should aim to keep your scripts out of the workspace since that’s what ServerScriptService is for. I know it makes things convenient but in the long run, depending on the way you’re engineering your systems, it’d be better to keep them all in one service canonically responsible for holding all server-side code.
Clients are not able to, regardless of location, see the content of scripts. They can’t exactly modify the scripts that they do see either (LocalScripts), rather an exploit is intended to rework what functions do, what variables are assigned to or send out tampered data to venues (e.g. remotes).
Do be cautious: ModuleScripts, as they can be required by both the server and the client, can be seen by exploiters, hence why you should keep that kind of content in the server services where children are not replicated to the client and thus secure.
RemoteEvents are only useful if you need to cross the client-server boundary to execute certain actions or raise something at a point in your game.
I was under the impression that ModuleScripts required only by server scripts were secure. Is this not the case?
Just because only server scripts require a ModuleScript, doesn’t mean it’s secure. If it’s in a container that’s replicated to the client, the client will be able to access it for whatever purposes they intend. It is only secure when it is present in a server-only container.
Depends on where it is. If it is in serverscriptservice, or serverstorage, then it can only be accessed the server. But if it is anywhere else, it is accessible to both the server, and the client.
I don’t believe that is relevant to what he was asking.
It’s relevant – the location of the ModuleScript is important, as @colbert2677 pointed out, since, if I’m understanding this correctly, a ModuleScript in Workspace would still be visible to the client.
You are correct on that one…
Yes, he’s correct. He was referring to Scripts (also known as server scripts), not LocalScripts (which are visible to the client) or ModuleScripts (which can be visible depending on location).
I see. I read the post incorrectly, I believed when he said scripts he was referring to ModuleScripts and Scripts.
These are a few questions I get a lot
Can exploiters edit scripts in the workspace
A: No, There ARE certain parts of the workspace that exploiters can disable though
Where can exploiters disable Server Ended Scripts in the Workspace?
A: If a Server Script is in a player (game.Workspace.[Player_Username]) / game.StarterPlayer.StarterCharacterScripts, a player CAN DISABLE THAT SCRIPT to prevent it from running.
It’s your best bet to put any scripts that would be in the workspace into game.ServerScriptService to prevent exploiters from disableing stuff. In general, this is best practice because exploiters will have no way to even view that these scripts exist due to them not being replicated across the client-server boundries. If you need to run a script when a player joins and resets, use the following code instead:
game.Players.PlayerAdded:Connect(function(player) --When the player joins player.CharacterAdded:Connect(function(character) --if player dies, run the code again --Your Code HEre end) end)
Hope this helps,
What can they disable? As far as I know exploiters can only change what they have network ownership of.
Thank you for the explanation, I’d love to be able to tag two solutions, but thanks for the response!
Scripts that the player has under their model, they can edit. My description may not be great, but this image may help.
Thats exactly what I thought, thanks for the clarification.
Have a great day,
This isn’t correct. Clients cannot edit scripts in their character either. They can’t edit scripts, period. That’s not how exploits work. They rework what things are assigned to and send tampered data, they don’t modify scripts. In the realm of property modification, anything that replicates beyond physics and animations is an err in the replication model.
By edit, I mostly meant changing the script.Disable property. That is still doable.