Hello, I am relatively new to the whole Security side of Roblox.
I hope that someone with more experience can clarify this.
I know the exploiters cannot access ServerSideScript, or ServerStorage.
From how I understand it, stuff inside of Workspace is replicated to both Client and Server.
When I run the game, I can copy the Part and paste it back into Workspace with the ServerScript inside. (I don’t know if this is something a exploiter can do, or maybe I got the wrong idea)
If it possible for Exploiter to just copy things from Workspace.
What if I have a Part inside of the Workspace with a ServerScript.
And inside of that Script, I do a require to a module inside of ServerStorage.
Would they have access to the module?
They couldn’t access the module if it’s in a server based service like “ServerScriptService” or “ServerStorage.” So, I suggest putting it in these areas.
Let me try to help explain the way the Server and Client work as best as possible.
Here’s a diagram I quickly just drew up. Each game has 1 server instance. The server handles secure game data and passes this data into clients. Some things, like you said the workspace, are replicated among the server and clients. Other things, for example ServerScriptService, remain on the server and will not replicate due to the client-server boundary (red line in the diagram).
How do you breach this boundary? Roblox offers RemoteEvents & RemoteFunctions for this specific purpose. They help keep your game secure. That said, exploiters can still fire these RemoteEvents and RemoteFunctions and send or receive data from your game causing it to potentially break. You need to be careful but the truth is it is impossible to fully stop exploiters.
In your question you gave the example of a script requiring() a module in ServerStorage. The script is still server-side and therefore is technically secure. Also giving the client access to this module really shouldn’t matter.
When you require() a module you are requiring() it as either the server or client depending on where you require() it from. All a module is is a data container. If you want a module to be server-side or client-side only within the module you can use RunService:IsClient() to check if its the client and return nil if it is rather than what you would normally return.
Remember that the majority of exploits are client-side only so you are able to use this to your advantage.
A client/exploiter cannot decompile the code but can call methods inside a module that is inside the workspace (not sure why that is). Keep server-sided modules to ServerScriptService, and they will work as intended.
– @AstrealDev did a pretty good job explaining it.