Except Kiriot already showed you can check the ISP of the IP. Roblox assigns the ISP name to their ips as “Roblox”
Not all IPs that roblox uses are going to have “Roblox” on their ip information. I know this based on the fact i’ve looked at some information for them, and were not all roblox owned IP ranges
Are you sure? Who.is (if that is what you were using) doesn’t show the ISP.
I am absolutely positive, and no, i don’t use who.is
Alright. I’ll check later today a bunch of roblox IPs and see if they all have the same ISP.
This is more of a suggestion then anything, but the fact of not being able to properly verify a Roblox request is coming from an actual Roblox server is extremely annoying and makes protecting web services even more of a pain to do.
A reasonable idea would be to add a new header to Roblox HttpService requests called “Roblox-Verification
”, and have it be the Roblox-Id
header (if im correct, this is the place id, if not, then send it as another header) concatenated with the current unix timestamp, then signed via Roblox’s private RSA key. An API then can verify the signature and proceed accordingly.
Of course, its not as easy as that (replay attacks, time desyncs, etc), but something similar should be added to at least give developers some way of verifying a Roblox HttpService request is actually a legitimate request.
This is actually useful and possible.
By starting a server, make it send one request to your web server, the request should contain a data-gameid which is unique to every server. Once the server verifies it, it’s IP gets flagged as a roblox server and starts accepting requests from that IP.
What’s a data-gameid?
Its a variable that is held by your browser when entering a selected server to retrieve it you have to send a request to the game/place page.
When the server starts it sends a request to roblox using a proxy server, you will have to check which server has the first player that joins the game. Once that is checked you can obtain it’s data-gameid and send it to the server.
It’s also recommended to add other security keys that will change based on time.
You have to remember that the server is where you hide your scripts and its the only place that cant be seen by anyone. But if in any circumstance it got exposed this method should protect you until someone figures something out and acts faster than the server(which most likely will never happen since the server should start its scripts before the player joins).
Hopefully this helps solve your problem.
Enjoy!
You can obtain the Guid by sending a request to https://www.roblox.com/games/getgameinstancesjson?placeId=PLACEID&startIndex=0
Make sure to check for each page by changing the startIndex, following the following equation:
(Page_Number*10 - 10)
For example to get page 5 you have to change it to: startIndex=40
Since Roblox uses more ips than the given range, you can use a two-step check:
- If the IP is in the above range then allow it
- Include the server’s JobId with your request. If it’s not in the above range, simulate joining the game to get the server IP address for that JobId.
- Given a place id, JobId, and a logged in Roblox account, you can make two http requests to simulate joining the game. The second request returns the server IP for that JobId. These requests are easy to make — I tested them manually with Postman.
- If the IP you get by simulating a game join does not match the requester’s IP address, then it was a bad request.
- Once you have the IP for the JobId, cache it so that you don’t have to simulate a game join for future requests from that server for about an hour.
Step 2 should work for public servers. Step 1 just narrows the space you have to do Step 2 in.
Even Step 2 above really isn’t preferred. It only works for some servers and it doesn’t allow you to check private servers.
The best thing you can do is to stop checking the IP entirely. Instead, give out API keys and revoke abusers. If you get too many abusers, switch to manual approval of API keys.
Know that Roblox makes no guarantee that the IP making the HTTP request will be from Roblox. In the future it’s possible they could proxy it through something else.
As I’ve stated before. Roblox rents TSS servers (along with IPs) so.
How about not joinable places that redirect you to the main place?
(Additional game’s places)
Ps: nvm. Just read the bottom noticement.
I feel like you’ve ignored or not read my previous post here.
If you figure out a way to simulate a game join, then you can tell if it’s from a Roblox game server.
Script in ServerScriptService:
- Send placeId & jobId to your server
Your server:
- Make sure placeId & jobId & any secret key was provided
- Attempt to join that game with that jobId
- If successful, grant a temporary access token to the server
Script in ServerScriptService:
- Receives access token and provides in all subsequent requests
- When game closes, send DELETE request to server and have your access token revoked
What if the game is private, a VIP server, group-only, friends-only, etc.? I’ve suggested the same thing, but I pointed out that there are flaws. Have you tested to make sure that this method will work with games that you are not allowed to join?
Since…
- The Roblox script will be public
- Server can crash
…you have no guarantee that you will receive a DELETE request. Make sure that this times out eventually. Roblox servers of popular games can be running for many hours e.g. 24+, so your timeout value needs to be pretty large.
I don’t see any advantage to providing a temporary access key as compared to:
- Providing the JobId with every request
- Caching the is-roblox-server value for valid IPs
- OR Using API keys
The “temporary access token” thing seems to be a way around having to check the server on every request. Caching the server IP as valid works just as well, is less complex, and can actually take fewer requests overall since only servers that use the service will need to be checked.
If API keys are used instead, it doesn’t even matter if the request was sent by a Roblox server since you can just revoke abusers. Abuse can still happen through Roblox servers – the bigger issue is catching and preventing abusers from using the service. API keys works better for that than all other methods.
@Sir_Melio
Thanks for the idea! That’s when I’m gonna use!
@Corecii @WhereAreTheLights @Etheroit @Kampfkarren
Thanks a lot for your help!
**No need for anymore help, thanks a lot! **
I’m using a wordpress plugin to act as my database, and it can let you authorise an IP/Hostname for a particular API key. I know that above in this post, the IP question has been solved; but is there a hostname that is used by the HTTP Service?
I thought of another solution, although you can’t completely stop non-roblox requests, as long as you setup your web server correctly (behind cloudflare, and nginx rate limiting by ip), the idea is you store your API key in datastore, and use datastore’s OnUpdate for changes to this key, as well as get your server to check GetAsync if it was invalid when it tries, then retry. That way, if the key is compromised, you update it without needing to restart. Perhaps even use a random server to update to a new key.
Though this is more of a game-specific way to prevent unwanted requests. I’d also recommend fail2ban rules for request spam.