Check if HTTP Request comes from roblox game server?

If this is going into any game that requests to add it, you can’t hide the url. All urls are logged to the dev console.
If you’re scared people will spam it, then the solution is above, but if you are trying to hide it to keep it secret, sadly that won’t work.

1 Like

Not only can you read the URLs from the developer console, but I could also easily proxy your methods to HttpService if I put it in my place and see the exact headers, URL, body, etc. Also, “encoded code” doesn’t mean anything here. I think you meant obfuscated.

1 Like

There is actually a way to see if it is coming from a Roblox server. Although mot much talked about, it is doable, but it takes time.

I am not going to get into a lot of details as this is an open thread for everyone to see.

You send the jobId and the placeId in a request to your server in exchange fo a temporary access code. “Why would I do that?” - well, because:

Your computer needs to know what to connect to when you want to play a game. If you can manage to find out how to do it, then you can make sure a request is from a Roblox server.

I spent hours to figure it out, so I could use it for my site. I made some progress, but stopped in the end.
And if you don’t believe me, well Froast made a post just like this:

Now, it’s up to you and how much you really want to do,

Correct me if I’m wrong, but weren’t the requests made with RequestAsync() not logged into it?

It is. There is a php function geoip_isp_by_name(). You can use it to check if the ISP of the ip the request comes from is the same as one of a roblox ip. From that point check the headers roblox sends, such as the place id.

(Edit: If you’re unable to use that function, there are substitutes and even APIs which do that)

1 Like

I didn’t realize this, although if it isn’t intended functionality (which it might be intended), it may be removed in the future.

I remember doing something like this with who.is, I believe if I remember correctly I kept getting different results for each ip, and it didn’t work for me (without having to whitelist every single new one)

2 Likes

Guess it was just the who.is results then, my bad.

@Spynaz @fireboltofdeath

As for Spynaz’s suggestion, you don’t timeout your entire server, only the ip which the request is originating from.

I don’t want to seem harsh but this is why inexperienced users pose security risks.

To explain. The server IP is known to all clients that join your game. It is easy for someone to spoof the IP blocking all traffic for that server. Server jump / bot the game and you will lock everything.

@marketmanager1 This is not a solution!!

As I explained your URL is being leaked by somone or something you are doing.

As far as I understood, OP wants to create a chat from roblox to discord and vice versa.
You don’t need to verify that the request is from Roblox as long as nobody knows the url.

To hide the url, make sure it’s not mentioned anywhere on the client (which it shouldn’t be as you should handle chatted events on server).

Edit: I’ve misread, OP wants to create a admin request thingie. As long as you freely distribute your code, it’s going to be exploitable. Everyone with console can check your http requests.

You can perform checks to see if the request comes from a whitelisted place id, and if the ip is a roblox server’s ip. Also I believe using RequestAsync() doesn’t make the url show up in the dev console.

1 Like

How would you perform checks to see that? As far as I know, you can’t see where does the request come from.

I explained it above.

2 Likes

Roblox owns these IP address ranges:

If you check that the request originates from within one of those ranges then you will know if it comes from a Roblox server or not.

If the request comes from outside one of those ranges, return 403 Forbidden or 404 Not Found.


Because this…

…you still need to make sure that requests are not spamming or misusing your API. It’s not possible to hide your web server’s address if you release this to someone, so you can expect someone to misuse it.

It’s worth noting that since we know these requests come from Roblox, we also know that the Roblox-Id value is correct. It’s also worth noting that you probably should not use IP address as an identifying piece of data because multiple Roblox servers can run off of one IP address.

It boils down to:

  1. Get some sort of identifying data. This can be place id, which you already have. You can make this more secure by requiring a unique API key per-user and whitelisting their place ids only for that API key.
  2. Rate limit based on the identifying data. Don’t allow more than 5 or 10 requests within 1 minute from the same place id/API key/etc.
  3. Optionally whitelist only place ids and API keys you want to use the service. This can be an automated or a manual approval process.
  4. When a place id or API key is abusing or spamming the service, blacklist it.

You might want to try keeping this fairly open at first and only do rate limiting + blacklisting place ids. If players abuse it then lock it down with API keys and a manual approval process.

2 Likes

Roblox rents and uses more addresses (such as Total Server Solutions’)

1 Like

Yep, I meant obfuscated.

Why can’t you just encrypt a key sent with the request that changes every minute or so and make each request require a unique key?

The encryption and decryption algorithms can be hidden in your server and service.

The server ip is not known to clients. Clients can’t make http requests therefore there is no reason for the url to be on the client. Even then, making http requests on the client uses the client’s IP address, not the server’s.

I clearly said you’ll have to manage the server’s usage not to go over the limits specified. This would work the same way as a library like Discord.js does to respect discord’s ratelimiting.

Roblox has tons of ips, and the chances of a malicious user getting the same ip as another server using this, is very unlikely. However, if that’s a worry, verify the server is from roblox via Kiriot’s method(via ISP), and then ban the Roblox-Id rather than the IP.

That said, I don’t believe you stated how it is a security threat.

I think you mave misread this. Players that join a roblox game will know the IP of that game server resulting in all IP based checks pointless.

This is not how an IPs are assigned and work?

How does it make ip based checks pointless? The client can’t send requests as the server. (And I thought you meant the IP of the web server OP is using)

IP based checks are a bad idea unless you get a list thats updated immediately all the time. Roblox is expanding their servers, and obviously getting more addresses at the same time, which unless they wanted to give us that list (which is a bad idea), ip based checks isn’t really a good idea either.