Check if HTTP Request comes from roblox game server?

The server ip is not known to clients. Clients can’t make http requests therefore there is no reason for the url to be on the client. Even then, making http requests on the client uses the client’s IP address, not the server’s.

I clearly said you’ll have to manage the server’s usage not to go over the limits specified. This would work the same way as a library like Discord.js does to respect discord’s ratelimiting.

Roblox has tons of ips, and the chances of a malicious user getting the same ip as another server using this, is very unlikely. However, if that’s a worry, verify the server is from roblox via Kiriot’s method(via ISP), and then ban the Roblox-Id rather than the IP.

That said, I don’t believe you stated how it is a security threat.

I think you mave misread this. Players that join a roblox game will know the IP of that game server resulting in all IP based checks pointless.

This is not how an IPs are assigned and work?

How does it make ip based checks pointless? The client can’t send requests as the server. (And I thought you meant the IP of the web server OP is using)

IP based checks are a bad idea unless you get a list thats updated immediately all the time. Roblox is expanding their servers, and obviously getting more addresses at the same time, which unless they wanted to give us that list (which is a bad idea), ip based checks isn’t really a good idea either.

Except Kiriot already showed you can check the ISP of the IP. Roblox assigns the ISP name to their ips as “Roblox”

1 Like

Not all IPs that roblox uses are going to have “Roblox” on their ip information. I know this based on the fact i’ve looked at some information for them, and were not all roblox owned IP ranges

1 Like

Are you sure? Who.is (if that is what you were using) doesn’t show the ISP.

1 Like

I am absolutely positive, and no, i don’t use who.is

1 Like

Alright. I’ll check later today a bunch of roblox IPs and see if they all have the same ISP.

1 Like

This is more of a suggestion then anything, but the fact of not being able to properly verify a Roblox request is coming from an actual Roblox server is extremely annoying and makes protecting web services even more of a pain to do.

A reasonable idea would be to add a new header to Roblox HttpService requests called “Roblox-Verification”, and have it be the Roblox-Id header (if im correct, this is the place id, if not, then send it as another header) concatenated with the current unix timestamp, then signed via Roblox’s private RSA key. An API then can verify the signature and proceed accordingly.

Of course, its not as easy as that (replay attacks, time desyncs, etc), but something similar should be added to at least give developers some way of verifying a Roblox HttpService request is actually a legitimate request.

8 Likes

This is actually useful and possible.
By starting a server, make it send one request to your web server, the request should contain a data-gameid which is unique to every server. Once the server verifies it, it’s IP gets flagged as a roblox server and starts accepting requests from that IP.

What’s a data-gameid?
Its a variable that is held by your browser when entering a selected server to retrieve it you have to send a request to the game/place page.
When the server starts it sends a request to roblox using a proxy server, you will have to check which server has the first player that joins the game. Once that is checked you can obtain it’s data-gameid and send it to the server.

It’s also recommended to add other security keys that will change based on time.

You have to remember that the server is where you hide your scripts and its the only place that cant be seen by anyone. But if in any circumstance it got exposed this method should protect you until someone figures something out and acts faster than the server(which most likely will never happen since the server should start its scripts before the player joins).

Hopefully this helps solve your problem.
Enjoy!

You can obtain the Guid by sending a request to https://www.roblox.com/games/getgameinstancesjson?placeId=PLACEID&startIndex=0

Make sure to check for each page by changing the startIndex, following the following equation:
(Page_Number*10 - 10)
For example to get page 5 you have to change it to: startIndex=40

6 Likes

Since Roblox uses more ips than the given range, you can use a two-step check:

  1. If the IP is in the above range then allow it
  2. Include the server’s JobId with your request. If it’s not in the above range, simulate joining the game to get the server IP address for that JobId.
    • Given a place id, JobId, and a logged in Roblox account, you can make two http requests to simulate joining the game. The second request returns the server IP for that JobId. These requests are easy to make — I tested them manually with Postman.
    • If the IP you get by simulating a game join does not match the requester’s IP address, then it was a bad request.
    • Once you have the IP for the JobId, cache it so that you don’t have to simulate a game join for future requests from that server for about an hour.

Step 2 should work for public servers. Step 1 just narrows the space you have to do Step 2 in.


Even Step 2 above really isn’t preferred. It only works for some servers and it doesn’t allow you to check private servers.

The best thing you can do is to stop checking the IP entirely. Instead, give out API keys and revoke abusers. If you get too many abusers, switch to manual approval of API keys.

1 Like

Know that Roblox makes no guarantee that the IP making the HTTP request will be from Roblox. In the future it’s possible they could proxy it through something else.

As I’ve stated before. Roblox rents TSS servers (along with IPs) so.

1 Like

How about not joinable places that redirect you to the main place?
(Additional game’s places)

Ps: nvm. Just read the bottom noticement.

I feel like you’ve ignored or not read my previous post here.
If you figure out a way to simulate a game join, then you can tell if it’s from a Roblox game server.

Script in ServerScriptService:

  • Send placeId & jobId to your server

Your server:

  • Make sure placeId & jobId & any secret key was provided
  • Attempt to join that game with that jobId
  • If successful, grant a temporary access token to the server

Script in ServerScriptService:

  • Receives access token and provides in all subsequent requests
  • When game closes, send DELETE request to server and have your access token revoked

What if the game is private, a VIP server, group-only, friends-only, etc.? I’ve suggested the same thing, but I pointed out that there are flaws. Have you tested to make sure that this method will work with games that you are not allowed to join?

Since…

  1. The Roblox script will be public
  2. Server can crash

…you have no guarantee that you will receive a DELETE request. Make sure that this times out eventually. Roblox servers of popular games can be running for many hours e.g. 24+, so your timeout value needs to be pretty large.


I don’t see any advantage to providing a temporary access key as compared to:

  • Providing the JobId with every request
  • Caching the is-roblox-server value for valid IPs
  • OR Using API keys

The “temporary access token” thing seems to be a way around having to check the server on every request. Caching the server IP as valid works just as well, is less complex, and can actually take fewer requests overall since only servers that use the service will need to be checked.

If API keys are used instead, it doesn’t even matter if the request was sent by a Roblox server since you can just revoke abusers. Abuse can still happen through Roblox servers – the bigger issue is catching and preventing abusers from using the service. API keys works better for that than all other methods.

1 Like

@Sir_Melio
Thanks for the idea! That’s when I’m gonna use! :slight_smile:

@Corecii @WhereAreTheLights @Etheroit @Kampfkarren

Thanks a lot for your help! :slight_smile:

**No need for anymore help, thanks a lot! :slight_smile: **

3 Likes

I’m using a wordpress plugin to act as my database, and it can let you authorise an IP/Hostname for a particular API key. I know that above in this post, the IP question has been solved; but is there a hostname that is used by the HTTP Service?

I thought of another solution, although you can’t completely stop non-roblox requests, as long as you setup your web server correctly (behind cloudflare, and nginx rate limiting by ip), the idea is you store your API key in datastore, and use datastore’s OnUpdate for changes to this key, as well as get your server to check GetAsync if it was invalid when it tries, then retry. That way, if the key is compromised, you update it without needing to restart. Perhaps even use a random server to update to a new key.

Though this is more of a game-specific way to prevent unwanted requests. I’d also recommend fail2ban rules for request spam.

3 Likes