Could they in theory just change their max health to some absurd number, and their walkspeed?
walkspeed and health values will only change on the client, but since the client has control over character position if they change their walkspeed they can still move really fast.
there used to be an exploit that makes a player immortal, but im not sure if this is still a thing anymore, its also really easy to fix by just removing a character instance if it stays at 0 health for too long.
Anything that is client sided can be manipulated by an exploiter. This can include health, speed, jump power, etc. They are also able to create instances only their client can see such as parts. While some values do replicate to the server and can be easy to detect, other values will need to be detected differently.
If the client has control over it, then it’s vulnerable. Every client has physical control over their character, preventing clientside lag.
On their client, exploiters can do many things, such as teleporting, firing remote events, and even accessing things that normal LocalScripts can’t access (like CoreGui’s descendants).
Yes, this is still a thing.
Correct me if I’m wrong, I didn’t test this a lot
Normally, people die when you set their health to 0 on the server. However, the state change is handled by the client, and an exploiter can disable this change effectively achieving godmode.
Only BaseParts can be set NetworkOwnership to, but the Humanoid controls these BaseParts on the client, so movement settings which have to do with the parts in the characters such as JumpPower or WalkSpeed can be exploited, but Health is not one of these. There is a server script in your character that calculates your Health and handles it.
If you place serverscripts inside of characters can exploiters still access them?
Exploiters cannot access or view server scripts.