I want to make an anti-exploit for my movement system by requiring modules that will be parented to the local script when the player joins and deleted after it is required.
Right now I have a local script that controls player movement. (Sprinting, sliding, vaulting, crawling) All the properties of sprint speed, walk speed, sliding force/distance, etc, are all variables in the local script.
I have tried looking up different methods to stop exploits by using server-side checks or by moving movement to the server instead of client but these are either giving players false warnings or giving players latency which is bad for the movement.
I do not completely know how exploits work but my thought process is that the player cannot change or view scripts in ServerScriptService, makes the module unchangeable (I think), and won’t be there on server startup and deleted after it is required.
Any feedback or any other ways to prevent exploits would be greatly appreciated.
Anything you do on the client can be manipulated by a dedicated attacker, they have many tools and functions in their suite, here’s the most relevant ones that I’m aware of:
Adding to what Nowoshire said, clients have access to all client scripts.
Modulescripts can exist in both client and server. You can think of it like copy-pasting the code to both client and server, as they are essentially separate scripts with the same source.
This means a client could edit the modulescript to be what they want still.
The best way to prevent abuse is to utilize a mixture of server and client scripts and never rely on the client as being trustworthy.
Latency is often an issue in cases like movement and timing uses of abilities / weapons, so it gets complicated quickly when trying to ensure it’s fair but preventing exploits. Working on latency issues is referred to as lag compensation, and it’s a rabbit hole to jump down.
Keep in mind (most) changes made on the client won’t replicate to the server, you don’t have to worry about exploiters being able to change your modules on the server-side.
Doesn’t mean you can’t at least try implement some sort of client-side detection though!
You’ll probably be able to detect the basic “universal” ones like Infinite Yield, there’s plenty of methods around here you can search for.
The Server checks are basically always the most important. You’ll want both in many contexts, such as lag compensation.
The server is what distributes information to all clients, so it’s responsible for what happens.
If the server is secure, the game is secure enough to prevent most of the issues from affecting other players.
Roblox experiences are multiplayer by default and run in a client-server model. The Roblox server is the ultimate authority for maintaining the experience’s state, and is responsible for keeping all connected clients in sync with the server.
To assist with simulation performance, Roblox can assign ownership of assemblies to a specific client or server… Ownership typically happens automatically, but you can assign it directly for fine-tuned responsiveness.
