Exploiter accessing unauthorized area

https://create.roblox.com/docs/scripting/networking/network-ownership

Please test whatever you say first!

1. Run the following script in the command bar in Client View in a Studio playtest:

for i,v in pairs(workspace:GetChildren()) do
    if v:IsA("BasePart") and v.Anchored then
        v.Color = Color3.new(1, 1, 1)
    end
end

2. Switch between the Server and Client views, and notice that in the Client view, a bunch of parts have turned completely white, while nothing has changed in the server view.

That’s only true if you are kicking the player via a localscript, which, according to OP, isn’t what they are doing.

Instead of using workspace:GetPartsInPart, I’m having the server check every second to determine if the character’s Z position is greater than 10 (giving a bit of of a cushion) as anything greater than 8 means the player is in on the board. The map is a big box so I don’t need to worry about X or Y. So far there haven’t been any reports of players being on the board and if it does reoccur then preventing them from colliding with the objects works well. Thank you all for your input and feedback!

verify if the user can interact with the objects in server.

Use raycast or fast cast instead, much faster than region3, touched and zone plus

I am seeing too much false data in this thread, if the player doesn’t have network ownership over an instance they won’t be able to replicate changes to the server, meaning that if they get to delete the “exploit detect” part, it would still exist in the server

I know that but it still doesn’t ignore the fact that player can use that script to bypass something (like barriesr).
Take for example, there is a door locked, normal players can’t access it, they need a key of course! however an exploiter can easily use the script i posted to bypass the lock and easily go through the door. players can see the exploiter go through the door, but they can’t go through it themselves.
I am very much aware that anything a exploiter creates on their client is not replicated unless noted otherwise.

I just did a short explanation of how that can be easily abused.

I understood what you meant, I thought you were talking about replication, because I misread.

For that case just raycast from the exploiter and check if he’s inside s room he shouldn’t be yet

Yea me and @Judgy_Oreo both misunderstood, we thought you were talking about cancollide client replication haha

When a script is running in server context, it does not replicate its bytecode to clients, but it is recommended to use serverscriptservice over workspace so clients dont have an idea of how your game works server-side by looking at the name of the scripts

ModuleScripts are different, if they get replicated to the client it will provide the code to the client because it may be required from the client

i have posted a script that kicks players if they remove it
so whatever they do if they try to bypass it they get instantly kicked
(in this topic)
Humanoid removed check post

Exploiters can just rename humanoidrootpart, anyways

Plus the really really low number (0.05) may kick laggy players or false positives

You can check for a child of their player.character, of class Humanoid, and see what its property of HumanoidRootPart is pointing to.

They cant if its by server or it wont replicate to server

I tested 0.05 delay and it works fine based on game if it is laggy then
you can easily change it plus it only false detects (if laggy and probably not) when your humanoidrootpart has fallen to void so changes of lagging while falling are low.
reminder that this isnt controlled by the client so any ping freeze wont stop it from checking

thats so useless there is no need for that
its better to just detect its deletion while player is alive
also deleting humanoidrootpart is replicated so that would fail so badly.