Can you use module scripts on the client?

Vendablebackup · November 26, 2020, 2:10pm

My question is the above. Is there any vulnerabilities or risks that come with using it on the client?

BenMactavsin · November 26, 2020, 2:12pm

You can use modulescript on client but changes made in modulescript doesn’t replicate to server so there shouldn’t be any risks of requiring modulescript on client unless you are holding important data in them, in that case you shouldn’t even replicate it to client n the first place.

Vendablebackup · November 26, 2020, 2:13pm

Someone told me it gives the client access to the server side or something?

BenMactavsin · November 26, 2020, 2:16pm

It can’t give client access to server, that’s now how modulescripts work.

minimic2002 · November 26, 2020, 2:52pm

A module script will inherit the characteristics of the script that called it.

So if a local script calls it it will run like a local script.
This means:

Does not replicate to server or other clients
Cant access some things e.g DataStores

If a server script calls it it will run like a script.

Changes replicate
Can access DataStores e.c.t

The risks with modules:

If storing variables there’s a good chance they can change them (Via memory)
If the module is intended to run locally then it can still be fully operational when exploiters call them (Given they use the correct info)
If the module fires a remote connected to the server then it can lead to exploitation of the connected server script. (Just don’t use remotes within modules)

Some Security:

Get the run service to see if it is running on client or server. This way if they try to run a server script on their client you can ban them immediately.
When using variables you want to obscure them and wipe them immediately after use so they cant be read.
Make the module have a sanity check (I would encrypt this so they cant simply see what you are putting in there)

Club_Moo · November 26, 2020, 6:03pm

If you’re using a common ModuleScript put in ReplicatedStorage for instance because it has
useful utility functions for both client and server, that’s fine. You just don’t want to forget the fact in the
future that there will continue to be a client version, so you don’t want to start adding things to it that are
only useful for the server side that could give some clues to potential exploiters as to some secret
inner workings of your server code–This would just be an information leak, not a necessarily directly
exploitable hole.