Can exploiters view source code in modules if they are never required?


Let’s say I have a simple module script:

local module = {
    ["SecretCode"] = 12345,

return module

Let’s say I put this module into ReplicatedStorage. Will exploiters be able to see the secret code even if I never require this specific module script on the client?


If they can see it, I’m pretty sure they can require it by injecting their own code (don’t quote me on it, I don’t exploit PLEASE CORRECT ME IF I’M WRONG.)


Simply yes, exploiters can access anything that is replicated to or currently on their machine. This is because in the event that the client would, but not necessarily require the module, the byte code has to be present.


Is it possible to require a module from RemoteFunction?


You mean require a module that’s on the server?




No, I don’t think that’s possible. Byte code is not sent through remotes, hence the remote would return nil.


So there is no way to hide the source of the modulescript?


There are several ways to communicate with module script on the server. For example, the client sends a request to the server to save to a data store,

The server will get this and the server will use a module script that’s on the server to fulfill the request of the client.

An exploiter will never access the module script, because the module’s byte code is on the server and never sent to the exploiter.


Why do you need to hide the source in the first place?


Exploiters can view the source scripts that are in ReplicatedStorage,ReplicatedFirst,Players,Workspace,Lighting ect.


That’s not a good reason. Exploiters can view all your normal local scripts’ source code too.

You should never need to hide source code on client. Everything important should be on the server.


Even ServerScriptService and ServerStorage?


Exploiters can’t see that unless you replicate it to the client. If you have a 100% server-side module, an exploiter can’t get it.


Yes, they can inject their own code.


So basically an exploiter can see any module the client has access to. This means anything in Workspace, ReplicatedStorage, and stuff like that. If for some reason, you’re sending modules to the client through remote functions (which you shouldn’t be doing) then they could get that. Otherwise there’s no possibile way they can see a module stored somewhere secure, like ServerStorage.


The way Roblox Replication works is anything stored in

  • ServerScriptService
  • ServerStorage

Is not accessible to the client.

Anything stored in

  • ReplicatedStorage

Is accessible by both Client and Server

Anything stored in

  • PlayerScripts

Is only accessible by the client.

If you are worried that exploiters can inject code to steal or access module scripts, they can not and never ever access anything thats is in ServerScriptService or ServerStorage. There is no known exploit that allows exploiters to access these containers and their contents on the server.


Then how do they copy whole game with server-side code too?


Game copying is possible because everyone who joins a game is given basic information about the place’s geometry (how the game should look like to the player). Local scripts and the map of a game are vulnerable to being stolen, but server scripts are usually not. I’ve read posts about very rare cases of security issues where specific players are given access to server only objects. This is not avoidable because this is Roblox’s side, we developers are unable to do anything about this.

Unless you have a script that sends server scripts per request to the client, then you have a major security issue.


ReplicatedStorage’s contents are replicated to the client. Required or not, clients can see it. An exploiter could even just require it themselves and save the overhead of needing to deconstruct the byte code to get the raw source of the module.

Depending on what you’re doing, if you’re keen on hiding the ModuleScript’s source code from clients, just make put the ModuleScript in a server service and have remotes facilitate communication between the client and the server.

@DevOfLua @wevetments

If you use a RemoteFunction to require a remote, the receiving environment will return a nil value. It returns nil because the ModuleScript is now using the environment of the script that required it, not because “byte code isn’t sent through remotes”.

A server requiring the ModuleScript means the returned instance is server-sided, sending it through the remote doesn’t work because the client doesn’t have access to this instance. The same goes vice versa.


Some games just have the script instances, they don’t have the code itself. If I had to guess:

  • A developer leaked content
  • The source was stolen via a security vulnerability
  • Exploits that existed before FilteringEnabled (though I doubt even this)
  • A security fault or one of the developer