I have a script in the local script where everytime I fire a lazer then it will detect when the lazer is touched by a Humanoid and if it does then it will fire a remoteevent with the humanoid in it so we can deal damage like this.
LOCAL SCRIPT
if humanoid then
DamageEvent:FireServer(humanoid)
end
but the problem is the fact that exploiters can fire the remote event and pass any players humanoid so he can do some sort of kill all script, whats the best way to make this secure? I would do a thing in the server where it detects if the server finds that the player is not equipping any tool but its a pvp game, everyone has a tool.
replace the local script with a server script and copy all of the stuff in the local script to the script you just added. Then change the function inside of the if humanoid then to humanoid:TakeDamage(10)
Try moving all the logic to the server. Raycasting from the client then returning the hit objects to the server is easily exploited, as you mentioned, a client can easily get all the humanoids in the game then fire the event to kill them all.
Instead, try telling the server when a client fires and the direction, have the server do the raycasting and damaging. This way only the server determines which hit is valid according to where the weapon is fired.
You don’t ever want to do ServerSided hit detection, unless you have a way to fix the need to predict your aim. ClientSide hit detection is done in most popular fps games, You can easily validate everything on the server by adding extra checks to make sure the information the client is sending actually makes sense.