Can exploiters READ server scripts?

I’m currently want make anti-cheat. I know that exploiters can’t edit server scripts, but can they read them?


They are unable to, though they are able to read ModuleScript and LocalScripts outside of ServerScriptStorage and ServerStorage.


They can’t read them in Workspace too?

1 Like

You can not read ANY ServerScript, though they can read ModuleScripts and LocalScripts outside of ServerScriptStorage and ServerStorage.

If this helped you please mark my topic as the solution! :smiley:


ServerScriptService and ServerStorage is not Replicated to the client, so they cannot read anything in them.

However, if a script (Local or not) is anywhere else, it will be replicated, and thus readable.

As I understand it, the client can’t edit a Server script in workspace due to filtering. However I find no information on limits set on the readability of a script in a replicate area.

1 Like

They can’t as source code of a Server Script is not replicated to the client under any circumstances.


Do you have a reference for this information? I checked out scripts on developer hub and there was nothing regarding the access of scripts outside of Server folders.

as far as I’m aware, no
since server scripts are on the SERVER and not directly replicated to the client, they’re not readable by any conventional exploiting means (yet, probably)
other scripts like localScripts and ModuleScripts (somehow) are indeed readable by exploiters, this is because they’re directly on the client which is what the exploit does: inject to a client, not a whole server

not actually sure if you can read server scripts OUTSIDE of ServerScriptService, but i think it’s best to put most server scripts in ServerScriptService just as an extra safety measure

1 Like

The thing is, there’s never any reason to replicate server script sources to the client. Server scripts (as the name implies) only run on the server. There’s no reason for them to be replicated, because they cannot run on the client.


The easiest way to test this is to place a Server script in StarterCharacter. Play Test and look in Explorer for the script. If it replicates and is readable in Studio, it probably is also in a live game.

In general, you shouldn’t have Server scripts anywhere but Server Script Service.

If its on server scripts no , just if its on workspace

Opening a server script in studio changes your playtest from client to server. In reality, from someone with experience in exploits, the client cannot see server scripts. Though the instance may be cloned, the actual script remains empty.


Roblox’s Filtering Enabled system NEVER sends server script bytecode to the client (why would they? it’s clearly a script designed to be ran in the context of the SERVER not CLIENT/LOCAL), it may send Instance data on replicate-able places but the bytecode itself is never sent

1 Like

Exploiters can’t read the sever scripts regardless on where they are, they can see the instance if it’s not in services that replicate to the client, but they can never read the source code

1 Like

Simple, they can’t

Basically every server script (no matter what) aren’t readable since they’re not replicated to the client. If they were able to, they would need to get access to the server sided view which makes it even harder for people to steal so this limits them to reading only localscripts and module scripts

Localscripts can be read since it’s replicated to the client.

However idk if there is a way to detect a script being read/selected during runtime which is a good way to kick any person trying to access them

1 Like

I’ll give you the simplest answer .



they cant read them but they can destroy them if there parented to their character…

1 Like

Only on their side, for the server, it’s still there

1 Like

Actually, server scripts that are parented to the player’s character can be deleted by them. I’m not sure exactly why, but it happens. You can test it by deleting the default Health script in the character on the client. If you delete it, the humanoid stops healing.

The effect only happens on the client, but on the server, it should still heal on the server

Besides, why would an exploiter want to prevent themselves from losing health?