Detailing damage/cooldowns on server vs. client

I’m working on a combat system and I just realized I’ve been putting all my damage and cooldown values on a local script. Should I be concerned that the client can adjust these values via exploits? If so, how would I go about making them server-side? Will it still be exploitable if it’s on the server? Please let me know!

Just handle your Value Detection checks on the server side, never trust the client

Provided they’re created on the Server, and changed on the Server, you should be fine (Exploiters can still change the values obviously since it’s replicated, but it’ll only affect their side only as Exploiters can only see what’s visible to them, so you have to check it on the server to ensure that they’re not abusing the Cooldowns)

I suppose this is what Exploiters can see:

  • ReplicatedFirst
  • ReplicatedStorage
  • workspace
  • Lighting

This is what they can’t see:

  • ServerScriptService
  • ServerStorage

(Correct me if I’m wrong)

1 Like

Sounds good, thanks for confirming that. By value detection checks, does that mean I should be using a remote function (client->server->client) to retrieve the values for cooldowns/damage? Also, I’m sorta worried about the other things they can change now. For example, I’m pretty sure an exploiter can easily make a hitbox extender as my hitboxes are defined locally.

Not even sure how I would rewrite my scripts to have almost everything server sided.

I meant like checking their values on the server, you could just simply create them like you would on the client except create custom functions which would only fire whenever they’re called on (I mean sure you can use a RemoteEvent/RemoteFunction, just be careful on how you handle both sides though)

I mean as long as the hitboxes you’re checking aren’t on the client, you should be fine (You should handle dealing damage on the server anyways) Also, wouldn’t each of their Hitboxes be nil if you’re creating one for each client?

1 Like

Thanks for the clarification. The hitboxes are checked on the server as well, so I guess there shouldn’t be a problem there either.