local module = {
["SecretCode"] = 12345,
}
return module
Let’s say I put this module into ReplicatedStorage. Will exploiters be able to see the secret code even if I never require this specific module script on the client?
If they can see it, I’m pretty sure they can require it by injecting their own code (don’t quote me on it, I don’t exploit PLEASE CORRECT ME IF I’M WRONG.)
Simply yes, exploiters can access anything that is replicated to or currently on their machine. This is because in the event that the client would, but not necessarily require the module, the byte code has to be present.
There are several ways to communicate with module script on the server. For example, the client sends a request to the server to save to a data store,
Remote:FireServer()
The server will get this and the server will use a module script that’s on the server to fulfill the request of the client.
An exploiter will never access the module script, because the module’s byte code is on the server and never sent to the exploiter.
So basically an exploiter can see any module the client has access to. This means anything in Workspace, ReplicatedStorage, and stuff like that. If for some reason, you’re sending modules to the client through remote functions (which you shouldn’t be doing) then they could get that. Otherwise there’s no possibile way they can see a module stored somewhere secure, like ServerStorage.
The way Roblox Replication works is anything stored in
ServerScriptService
ServerStorage
Is not accessible to the client.
Anything stored in
ReplicatedStorage
Is accessible by both Client and Server
Anything stored in
PlayerScripts
Is only accessible by the client.
If you are worried that exploiters can inject code to steal or access module scripts, they can not and never ever access anything thats is in ServerScriptService or ServerStorage. There is no known exploit that allows exploiters to access these containers and their contents on the server.
Game copying is possible because everyone who joins a game is given basic information about the place’s geometry (how the game should look like to the player). Local scripts and the map of a game are vulnerable to being stolen, but server scripts are usually not. I’ve read posts about very rare cases of security issues where specific players are given access to server only objects. This is not avoidable because this is Roblox’s side, we developers are unable to do anything about this.
Edit:
Unless you have a script that sends server scripts per request to the client, then you have a major security issue.
ReplicatedStorage’s contents are replicated to the client. Required or not, clients can see it. An exploiter could even just require it themselves and save the overhead of needing to deconstruct the byte code to get the raw source of the module.
Depending on what you’re doing, if you’re keen on hiding the ModuleScript’s source code from clients, just make put the ModuleScript in a server service and have remotes facilitate communication between the client and the server.
If you use a RemoteFunction to require a remote, the receiving environment will return a nil value. It returns nil because the ModuleScript is now using the environment of the script that required it, not because “byte code isn’t sent through remotes”.
A server requiring the ModuleScript means the returned instance is server-sided, sending it through the remote doesn’t work because the client doesn’t have access to this instance. The same goes vice versa.