I’m currently want make anti-cheat. I know that exploiters can’t edit server scripts, but can they read them?
11 Likes
They are unable to, though they are able to read ModuleScript and LocalScripts outside of ServerScriptStorage and ServerStorage.
4 Likes
They can’t read them in Workspace too?
1 Like
You can not read ANY ServerScript, though they can read ModuleScripts and LocalScripts outside of ServerScriptStorage and ServerStorage.
If this helped you please mark my topic as the solution! 
14 Likes
ServerScriptService and ServerStorage is not Replicated to the client, so they cannot read anything in them.
However, if a script (Local or not) is anywhere else, it will be replicated, and thus readable.
As I understand it, the client can’t edit a Server script in workspace due to filtering. However I find no information on limits set on the readability of a script in a replicate area.
1 Like
They can’t as source code of a Server Script is not replicated to the client under any circumstances.
2 Likes
Do you have a reference for this information? I checked out scripts on developer hub and there was nothing regarding the access of scripts outside of Server folders.
as far as I’m aware, no
since server scripts are on the SERVER and not directly replicated to the client, they’re not readable by any conventional exploiting means (yet, probably)
other scripts like localScripts and ModuleScripts (somehow) are indeed readable by exploiters, this is because they’re directly on the client which is what the exploit does: inject to a client, not a whole server
not actually sure if you can read server scripts OUTSIDE of ServerScriptService, but i think it’s best to put most server scripts in ServerScriptService just as an extra safety measure
1 Like
The thing is, there’s never any reason to replicate server script sources to the client. Server scripts (as the name implies) only run on the server. There’s no reason for them to be replicated, because they cannot run on the client.
4 Likes
The easiest way to test this is to place a Server script in StarterCharacter. Play Test and look in Explorer for the script. If it replicates and is readable in Studio, it probably is also in a live game.
In general, you shouldn’t have Server scripts anywhere but Server Script Service.
If its on server scripts no , just if its on workspace
Opening a server script in studio changes your playtest from client to server. In reality, from someone with experience in exploits, the client cannot see server scripts. Though the instance may be cloned, the actual script remains empty.
5 Likes
Roblox’s Filtering Enabled system NEVER sends server script bytecode to the client (why would they? it’s clearly a script designed to be ran in the context of the SERVER not CLIENT/LOCAL), it may send Instance data on replicate-able places but the bytecode itself is never sent
1 Like
Exploiters can’t read the sever scripts regardless on where they are, they can see the instance if it’s not in services that replicate to the client, but they can never read the source code
1 Like
Simple, they can’t
Basically every server script (no matter what) aren’t readable since they’re not replicated to the client. If they were able to, they would need to get access to the server sided view which makes it even harder for people to steal so this limits them to reading only localscripts and module scripts
Localscripts can be read since it’s replicated to the client.
However idk if there is a way to detect a script being read/selected during runtime which is a good way to kick any person trying to access them
1 Like
I’ll give you the simplest answer .
no
2 Likes
they cant read them but they can destroy them if there parented to their character…
1 Like
Only on their side, for the server, it’s still there
1 Like
Actually, server scripts that are parented to the player’s character can be deleted by them. I’m not sure exactly why, but it happens. You can test it by deleting the default Health script in the character on the client. If you delete it, the humanoid stops healing.
The effect only happens on the client, but on the server, it should still heal on the server
Besides, why would an exploiter want to prevent themselves from losing health?