Common Client-Server mistakes

As far as I know, you can’t exploit the status of having the gamepass.
If you trade the money on the server, you can also make sure that the client can’t cheat his way out of it, but that doesn’t help him if he buys something on the server.

Thats true, when you dont use chicknoid [idk the exact name] [it cost rly rly much performance] the client can do that, thats what a anti cheat is for.

When you check that on the server the client would not knew that.

Hm, a gaming pc/mobile phone against a server in the 6-7 digit range [costs].

The problem here is that the server cannot properly verify that the player is allowed to run or not. Therefore, this must also be on the server. The server would then have to check the maximum allowed speed during the sprint in order not to moderate anyone incorrectly. It can’t know for sure whether the player is really allowed to sprint. and that would make it possible to have an undeniable race.

It is generally better to make the stamina system on the client, as it will reduce lag. However, I’d like to make you aware that there are many ways to detect the cheater speed cheating both on the server and the client.

The most secure way to do this will be on the server, by simply comparing magnitude between position A of the player and position B of the player every second or so and checking if it exceeds limits.

It’s only as useless as its maker. If you have enough knowledge, unlike what you’ve been mentioning here that you should only use the client, nobody will be able to bypass it.

The best anti-cheat is to combine both the client and server anti-cheat, and if done correctly and with the right amount of knowledge, almost nobody will be able to bypass it, and when somebody does, you’ll be able to patch it.

You don’t understand Client Anti Cheats, also your point about game passes is completely wrong unless you verify it on the client (which is a horrible idea) and infinite money is impossible due to FilteringEnabled unless your remotes arent sanitized.

Actually ray casts don’t affect performance that much as long as you don’t ray cast that far, this has been confirmed by Roblox staff.

Thanks for giving us another argument, thing is that we talk about more practical use of anti-cheats for character such as speed hack, flying, super jump, teleport ect.

Also we consider scenarios when those anti-cheats are usefull to not harm performance but also stop harming people, this mean that apart rule to “never trust client” there is another “trust client depending on scenario”

To visualize it more here we have example:
We created a clicker game where you collect coins, some cheater make speed hack soo they don't have to walk that long, you of course patches it, but then another harder to patch exploit comes in place, it lerps player to coin's position, you also patch it. In one update you add speed boost potions, you also update your anti-cheat to don't fire false positives. Sadly for you, cheaters found another way to make their game easier, they've learnt that every 1/4 of second you check if they teleport, soo they made exploit that teleports them in blink of an eye to position and back to don't fire anti-cheat, you upgrade your anti-cheat, then you see performance drop, you repeat this game again and again, now your game is unplayable, cheaters found way that you can't patch, this mean automation and super quick teleports, you can't patch them anymore

Sorry for long story, as you can see, to patch one stupid exploit in your clicker you had to destroy performance, and even then cheaters found way to be better, this mean no matter what you will do, the better the anti-cheat is, the more it eats performance.

Now the “rule” that isn’t particullary true, “never trust client”, this is false, you can trust your client for some things like anti-cheat, you only have to know if you can do that!

Why? you may ask, see most of cheaters are random kids who dowload some .exe file from suspisious websites and then run it, they have zero knowledge about coding or even how cheats are made, many thinks that some guy in basement makes them and have this funny mask.

So at the end, 90% of cheaters can’t code this mean they can’t delete your scripts, update your game every week with bug fixes and then you will destroy cheaters mentally, who wants to update one thing every week?

Conclusion: Client-Side anticheats are mostly safe due to fact that no every exploiter can code and that many game genres are simply not able to be harmed by character exploits, this mean no server-side anti-cheat game possible, use secure remotes and client-side anti-cheat and you would be fine

Clientside anticheats do nothing. All it takes is either one script (anti client kick, crash, etc or literally just delete it) and boom. Completely gone. If your game ever gets popular, there’s bound to be one script that every exploiter will use that’ll automaticlly snap your anticheat. Tough world, so stick to just securing remotes and if you really need it, making simple lenient serverside checks.

As i said, most cheaters can’t do that, if you update your game to break cheats, exploiter have to again join your game and change his code which become annoying after some time

Assuming you meant “anticheat”—you are wrong.

I support using client-side anticheats, however, this is a dumb argument.

You should always use client + server, most exploiters use code made by people who can code and eventually that person who can code will work around it if you have no server sided measures alongside your client ones.

Exploiters are persistent. Taking a look at Criminality and some games, the script communities there update to fix their scripts in almost near seconds. You’re not gonna shutdown servers every 8h just to do something that’ll get bypassed in mere seconds, while hurting player experience?

i want to add that we are talking about anti-cheats which mean mostly security about player abbilities, we don’t take remote security here, so no, money bag drop is not job of anti-cheat but rather safe remotes

This is not relevant to what I have posted.

I ain’t gonna lie, if done perfectly it CAN be okay, but if you see many games most of them dont even bother with clientside anticheat. Your post also has 308 replies, which kinda should say a lot.

again anti-cheat here is things such as anti: tp, speed, jump, fly ect.

On serverside? Yeah, it can be done and it’s much better than clientside anticheat. Just do serverside anticheats if you’re desperate.

All of these specific measures should be done on the server, not the client.

Still, i can say depends on game, i thought about it overnight and i can say in some games where cheats harm players, but in games like clickers or sandboxes
it’s practically fight with wind

That literally won’t work in any anticheat ever unless it is written horribly.

tested, when anti-cheat compared 2 positions every 1/4 of second when i teleported player in 1/8 of second it didn’t fired

Could you please show me the teleport script and the anti-cheat?

-- Tp script, teleports player to position X and then quickly back.

-- Some trigger
local current = Character.PrimaryPart.Position
Character.PrimaryPart.Position = targetPosition -- let's say we want to tp player to coin and back to don't fire anti-cheat
task.wait(1/8)
Character.PrimaryPart.Position = current 

-- Anticheat, max distance is set in settings and given
local last = Character.PrimaryPart.Position
while true do
  local current = Character.PrimaryPart.Position
  if (current - last).Magnitude > MaxDistance then
    print("Player cheated: "..Character.Name)
  end
  
  last = current
  task.wait(1/4)
end

In this scenario, there is chance that coin collection will detect that player is near it and then player teleports back soo he can’t be caught

The problem is that you are checking every 1/4 seconds. An actual anti-cheat will only check every second.

You can whitelist server-sided teleports by listening to HumanoidRootPart:GetPropertyChangedSignal("CFrame") and setting the last CFrame to the new CFrame, this will not trigger upon client-sided teleports but will when a server-sided teleportation happens, letting your server-sided scripts teleport players without the anti cheat having a spasm.

if there is 1 second of cooldown between checks, still player can teleport super fast and collect coins, then go back and never be caught