Does anyone have tips for writing 'secure' code?

I have hit a point in my project where I need to start writing my code with anti-exploit in mind. The problem is, I have never done it before. I am unsure whether the code I am writing even works against exploitation, so how can I tell? What are the best ways to build game security?

The last thing I want to do is come back and rewrite all my code again. ( I have already done this a couple times, and it’s time to move on… )

So, does anyone have any tips they can share to help me along?

Better it stays this way until you’ve first learned to secure the code you have to work with at present. I consider anti-exploit to be dedicated code towards blocking exploits, while secure code is in regards to ensuring the code you currently have cannot be taken advantage of.

Most of your “secure code” efforts will come from writing proper validation checks in remotes and ensuring that the client isn’t authoritative for sensitive tasks (transfer of data, purchases, damage, so on). That being said though, you also need to work with a balance in mind. The server should only be handling important tasks, not everything.

Really though, writing secure code is dependent on your game’s structure itself. The general concept of it is the same for all games, but the specifics vary from game to game.

I know its probably common knowledge now, but never trust the client.

i.e If you have a debounce on the client but not the server that could potentially be an issue.

If you have info that is needed, preferably get it on the server. (e.g sell prices should be retrieved on the server and not passed through by the client)
For things you can only get on the client, you have to trust the client. (e.g where a weapon is firing)
Also make sure the client isn’t passing anything more than what can only be retrieved on the client. (even things like mouse.Target shouldn’t be passed through, as the client could select whatever part it chose)

I am assuming that you are using raycasting so first off I suggest shooting the ray in the client since it’s much faster and when the ray hits something we can send all the information needed to the server aka the origin of the ray, length of the ray, direction of the ray, position and the hit. after that we let the service check and decide.

This has been talked about many times before on the forum. If you want a ton of great information, use the search bar (magnifying glass) and search “preventing exploits” or anything similar.

When preventing exploits, keep the following in mind

• Never Trust The Client. Exploiters can fire whatever they want, when they want, and how they want. They can also modify anything locally. Never rely on the client to determine anything.
• Sanity Checks. Going along with the above, make sure every request is valid. For example, if they player wants to purchase something, check on the server if they have enough cash. If they want to use a special ability, check that they own it on the server.
• Network Ownership. Exploiters can only modify their player, as they network own it. This means that they can teleport, noclip, and speed hack easily. However, you can prevent this by checking a player’s character’s position constantly, and working according to that.

That’s the key points, make sure to search about exploits as I mentioned above, there are a lot of great threads on this topic. Have a good day.