Check if HTTP Request comes from roblox game server?

Alright, thanks.

1 Like

Why’d you say no? The answer seems to be yes.

If it’s something developers can put into their game, then there’s nothing you can really do about people finding your URL.

It’s encoded code. They can’t see it.

1 Like

If this is going into any game that requests to add it, you can’t hide the url. All urls are logged to the dev console.
If you’re scared people will spam it, then the solution is above, but if you are trying to hide it to keep it secret, sadly that won’t work.

1 Like

Not only can you read the URLs from the developer console, but I could also easily proxy your methods to HttpService if I put it in my place and see the exact headers, URL, body, etc. Also, “encoded code” doesn’t mean anything here. I think you meant obfuscated.

1 Like

There is actually a way to see if it is coming from a Roblox server. Although mot much talked about, it is doable, but it takes time.

I am not going to get into a lot of details as this is an open thread for everyone to see.

You send the jobId and the placeId in a request to your server in exchange fo a temporary access code. “Why would I do that?” - well, because:

Your computer needs to know what to connect to when you want to play a game. If you can manage to find out how to do it, then you can make sure a request is from a Roblox server.

I spent hours to figure it out, so I could use it for my site. I made some progress, but stopped in the end.
And if you don’t believe me, well Froast made a post just like this:

Now, it’s up to you and how much you really want to do,

Correct me if I’m wrong, but weren’t the requests made with RequestAsync() not logged into it?

It is. There is a php function geoip_isp_by_name(). You can use it to check if the ISP of the ip the request comes from is the same as one of a roblox ip. From that point check the headers roblox sends, such as the place id.

(Edit: If you’re unable to use that function, there are substitutes and even APIs which do that)

1 Like

I didn’t realize this, although if it isn’t intended functionality (which it might be intended), it may be removed in the future.

I remember doing something like this with who.is, I believe if I remember correctly I kept getting different results for each ip, and it didn’t work for me (without having to whitelist every single new one)

1 Like

Guess it was just the who.is results then, my bad.

@Spynaz @fireboltofdeath

As for Spynaz’s suggestion, you don’t timeout your entire server, only the ip which the request is originating from.

I don’t want to seem harsh but this is why inexperienced users pose security risks.

To explain. The server IP is known to all clients that join your game. It is easy for someone to spoof the IP blocking all traffic for that server. Server jump / bot the game and you will lock everything.

@marketmanager1 This is not a solution!!

As I explained your URL is being leaked by somone or something you are doing.

As far as I understood, OP wants to create a chat from roblox to discord and vice versa.
You don’t need to verify that the request is from Roblox as long as nobody knows the url.

To hide the url, make sure it’s not mentioned anywhere on the client (which it shouldn’t be as you should handle chatted events on server).

Edit: I’ve misread, OP wants to create a admin request thingie. As long as you freely distribute your code, it’s going to be exploitable. Everyone with console can check your http requests.

You can perform checks to see if the request comes from a whitelisted place id, and if the ip is a roblox server’s ip. Also I believe using RequestAsync() doesn’t make the url show up in the dev console.

How would you perform checks to see that? As far as I know, you can’t see where does the request come from.

I explained it above.

1 Like

Roblox owns these IP address ranges:

If you check that the request originates from within one of those ranges then you will know if it comes from a Roblox server or not.

If the request comes from outside one of those ranges, return 403 Forbidden or 404 Not Found.


Because this…

…you still need to make sure that requests are not spamming or misusing your API. It’s not possible to hide your web server’s address if you release this to someone, so you can expect someone to misuse it.

It’s worth noting that since we know these requests come from Roblox, we also know that the Roblox-Id value is correct. It’s also worth noting that you probably should not use IP address as an identifying piece of data because multiple Roblox servers can run off of one IP address.

It boils down to:

  1. Get some sort of identifying data. This can be place id, which you already have. You can make this more secure by requiring a unique API key per-user and whitelisting their place ids only for that API key.
  2. Rate limit based on the identifying data. Don’t allow more than 5 or 10 requests within 1 minute from the same place id/API key/etc.
  3. Optionally whitelist only place ids and API keys you want to use the service. This can be an automated or a manual approval process.
  4. When a place id or API key is abusing or spamming the service, blacklist it.

You might want to try keeping this fairly open at first and only do rate limiting + blacklisting place ids. If players abuse it then lock it down with API keys and a manual approval process.

1 Like

Roblox rents and uses more addresses (such as Total Server Solutions’)

Yep, I meant obfuscated.

Why can’t you just encrypt a key sent with the request that changes every minute or so and make each request require a unique key?

The encryption and decryption algorithms can be hidden in your server and service.

The server ip is not known to clients. Clients can’t make http requests therefore there is no reason for the url to be on the client. Even then, making http requests on the client uses the client’s IP address, not the server’s.

I clearly said you’ll have to manage the server’s usage not to go over the limits specified. This would work the same way as a library like Discord.js does to respect discord’s ratelimiting.

Roblox has tons of ips, and the chances of a malicious user getting the same ip as another server using this, is very unlikely. However, if that’s a worry, verify the server is from roblox via Kiriot’s method(via ISP), and then ban the Roblox-Id rather than the IP.

That said, I don’t believe you stated how it is a security threat.