Common Client-Server mistakes

Most of what you have written here I have already covered several times in the 101 posts [here as a whole, not just from me.]

because we want to tell you that your point is pointless, no need for server sided anticheat as it does more harm than good

Save this post and look at it again in 2 years.

If i made a anti-cheat. I would keep it simple by just adding a “random” check to each remote event.

Maybe even have a stored table of sent remote events and their timestamps of the last activity sent from a given player within a hour, if that is i wanted to manually dig deeper.

Hello. I was reading this post and I saw an argument, so I just want to say some things I know so you can understand both sides more.

Please also know that I’m not experienced, I’ve never published a game, and I haven’t played roblox games in sometime. Some things may be a bit off.

NEVER TRUST THE CLIENT
This is very important for any game or service were there is a client and server working together.

  • The client will be able to get any gamepass they want or infinite money.
  • The client will always be able to fly and or beat other players.
  • The client will always be able to ruin the experience of other Players.

No matter what you are doing you must always make sure the client doesn’t always have the power to do anything so they can’t cheat or negatively impact the experience of other players.

PERFORMANCE

It’s important to maximize the security of your game, but it really is important to make sure your anti-cheat isn’t ruining the performance of your game. Not everyone has a perfect computer or internet, so as the game developer, you must do your best to give every player the best experience possible.

  • If you want to check if a player is flying, you can’t raycast or do other math too often, or network will start to worsen (and also you’ll have to check other actions the player is doing so innocent players don’t get affected. ex. jump potion)

EXAMPLE
I’m still not too good at development so please develop these ideas or tell me if I’m wrong if you believe so

Sanity checks:

  • The Client is most likely always more performant than the server, so if you want to make a stamina script, don’t use one or the other, use both!! (Use the client to control stamina, and make the server stop the sprinting if the client doesn’t stop sprinting on time.)

That’s all I have. Please try to understand each other and make solutions that works for your own games.

2 Likes

As far as I know, you can’t exploit the status of having the gamepass.
If you trade the money on the server, you can also make sure that the client can’t cheat his way out of it, but that doesn’t help him if he buys something on the server.

Thats true, when you dont use chicknoid [idk the exact name] [it cost rly rly much performance] the client can do that, thats what a anti cheat is for.

When you check that on the server the client would not knew that.

Hm, a gaming pc/mobile phone against a server in the 6-7 digit range [costs].

The problem here is that the server cannot properly verify that the player is allowed to run or not. Therefore, this must also be on the server. The server would then have to check the maximum allowed speed during the sprint in order not to moderate anyone incorrectly. It can’t know for sure whether the player is really allowed to sprint. and that would make it possible to have an undeniable race.

It is generally better to make the stamina system on the client, as it will reduce lag. However, I’d like to make you aware that there are many ways to detect the cheater speed cheating both on the server and the client.

The most secure way to do this will be on the server, by simply comparing magnitude between position A of the player and position B of the player every second or so and checking if it exceeds limits.

It’s only as useless as its maker. If you have enough knowledge, unlike what you’ve been mentioning here that you should only use the client, nobody will be able to bypass it.

The best anti-cheat is to combine both the client and server anti-cheat, and if done correctly and with the right amount of knowledge, almost nobody will be able to bypass it, and when somebody does, you’ll be able to patch it.

You don’t understand Client Anti Cheats, also your point about game passes is completely wrong unless you verify it on the client (which is a horrible idea) and infinite money is impossible due to FilteringEnabled unless your remotes arent sanitized.

Actually ray casts don’t affect performance that much as long as you don’t ray cast that far, this has been confirmed by Roblox staff.

Thanks for giving us another argument, thing is that we talk about more practical use of anti-cheats for character such as speed hack, flying, super jump, teleport ect.

Also we consider scenarios when those anti-cheats are usefull to not harm performance but also stop harming people, this mean that apart rule to “never trust client” there is another “trust client depending on scenario”

To visualize it more here we have example:
We created a clicker game where you collect coins, some cheater make speed hack soo they don't have to walk that long, you of course patches it, but then another harder to patch exploit comes in place, it lerps player to coin's position, you also patch it. In one update you add speed boost potions, you also update your anti-cheat to don't fire false positives. Sadly for you, cheaters found another way to make their game easier, they've learnt that every 1/4 of second you check if they teleport, soo they made exploit that teleports them in blink of an eye to position and back to don't fire anti-cheat, you upgrade your anti-cheat, then you see performance drop, you repeat this game again and again, now your game is unplayable, cheaters found way that you can't patch, this mean automation and super quick teleports, you can't patch them anymore

Sorry for long story, as you can see, to patch one stupid exploit in your clicker you had to destroy performance, and even then cheaters found way to be better, this mean no matter what you will do, the better the anti-cheat is, the more it eats performance.

Now the “rule” that isn’t particullary true, “never trust client”, this is false, you can trust your client for some things like anti-cheat, you only have to know if you can do that!

Why? you may ask, see most of cheaters are random kids who dowload some .exe file from suspisious websites and then run it, they have zero knowledge about coding or even how cheats are made, many thinks that some guy in basement makes them and have this funny mask.

So at the end, 90% of cheaters can’t code this mean they can’t delete your scripts, update your game every week with bug fixes and then you will destroy cheaters mentally, who wants to update one thing every week?

Conclusion: Client-Side anticheats are mostly safe due to fact that no every exploiter can code and that many game genres are simply not able to be harmed by character exploits, this mean no server-side anti-cheat game possible, use secure remotes and client-side anti-cheat and you would be fine

Clientside anticheats do nothing. All it takes is either one script (anti client kick, crash, etc or literally just delete it) and boom. Completely gone. If your game ever gets popular, there’s bound to be one script that every exploiter will use that’ll automaticlly snap your anticheat. Tough world, so stick to just securing remotes and if you really need it, making simple lenient serverside checks.

As i said, most cheaters can’t do that, if you update your game to break cheats, exploiter have to again join your game and change his code which become annoying after some time

Assuming you meant “anticheat”—you are wrong.

I support using client-side anticheats, however, this is a dumb argument.

You should always use client + server, most exploiters use code made by people who can code and eventually that person who can code will work around it if you have no server sided measures alongside your client ones.

Exploiters are persistent. Taking a look at Criminality and some games, the script communities there update to fix their scripts in almost near seconds. You’re not gonna shutdown servers every 8h just to do something that’ll get bypassed in mere seconds, while hurting player experience?

i want to add that we are talking about anti-cheats which mean mostly security about player abbilities, we don’t take remote security here, so no, money bag drop is not job of anti-cheat but rather safe remotes

This is not relevant to what I have posted.

I ain’t gonna lie, if done perfectly it CAN be okay, but if you see many games most of them dont even bother with clientside anticheat. Your post also has 308 replies, which kinda should say a lot.

1 Like

again anti-cheat here is things such as anti: tp, speed, jump, fly ect.

On serverside? Yeah, it can be done and it’s much better than clientside anticheat. Just do serverside anticheats if you’re desperate.

All of these specific measures should be done on the server, not the client.

1 Like

Still, i can say depends on game, i thought about it overnight and i can say in some games where cheats harm players, but in games like clickers or sandboxes
it’s practically fight with wind

That literally won’t work in any anticheat ever unless it is written horribly.