Honestly, Client Anti-cheats are required. Completely. Server anti-cheats usually damage performance and make gameplay more difficult.
The greatest issue with Client Anti-exploits is that it is easily bypassable, but is it really? There are a few ways to deal with exploiters using purely client anti-exploits.
- You require a vLua module (The one I use), or, whenever Roblox allows load string for clients.
- You need one script in ServerScriptService and a Localscript in StarterPlayerScripts.
- Make a RemoteFunction in ReplicatedStorage.
- In the server script, make an array of different script snippets as a string. Preferably one’s that return unpredictable values. Then send it to client via RemoteFunction.
- In the client, use the vLua in step 1, and send the info back to server.
- Have the server check this information, and kick the player if the info is not possible without hacking.
- Also insert some random snippets in the code, that return something random, and kick the player if it doesn’t return correctly. So the exploiters can’t predict what snippet they will get. (Making it difficult to spoof)
This is just a theory, it may take some time for me to apply it fully. The exploiter could also spoof the checked values, but that adds a huge layer of complexity that would hamper all but the most experienced exploiters.