I clicked on Test in Roblox Studio. It opened a Server window and a Client window.
In the Client window, I changed a BoolValue in the Workspace. The Client showed the change but the Server did not. The Server kept the value it already had.
Good, right?
My question is this: is that how it works in a real game?
Are my values stored in the Workspace safe from exploiters/hackers?
If they are stored inside a player’s character are they also safe?
Player can change any of those values, inside their character or in workspace. Only for them the change will apply. But if you tell a server script, to read that value, the server will find a value without any change from the client. So, no matter if players change their own value or the value in workspace, you should take the desitions in server, checking that value, in order to send rules to the client
They are indeed safe from being written to but they can still see what is there. I also recommend putting them In replicated storage. It will behave the same as if they were in workspace but it will be a little more organized. Unless you need the values to be a part of something in workspace.
Its just mean, that reading those values in workspace, character, replicated storage, or anywhere, you should do it from a server script, and do not receive a signal/remote from client, trusting what that value is.
If client change the value, server wont change, so server knows the right value it should be used, in order to fire client with those instructions
So really, it just comes down to not trusting Local Scripts, Module Scripts (located in public places) and not allowing a Client to send “Data” through a Remote Event. They should only receive “Data” through Remote Events.
Yup, along with other stuff about “trusting the client”
Of course you want to allow the client to send data, its just about how you check if that data is true.
Anything the client changes is not changed on the server, for security reasons. The client also can’t access certain things, like ServerStorage and ServerScriptService, as well as other player’s PlayerGui. They say not to trust the client because of exploiters. They have complete control over the client and they can monitor a lot.
This behavior is persistent everywhere on roblox.
So to communicate between client and server, use RemoteEvents.
I believe there are a few exceptions with the player’s character. They might be able to control a lot of it unlike other regular instances.
