So how do you prevent exploitation if you don’t want to do a check server side? They can tell the remote they are in the safe zone and do whatever they want.
You are going to need to do something unprompted by the client if you want security.
I’m thoroughly confused as to your design choice.
Just looking for other ways in addition to what you suggested. You suggested using Touched. I appreciate that but I used Region3 because thats what it is for and should not be thrown out simply because you suggested it.
Thanks!
that’s just really not true. I do wish such absolute statements were not so common on here.
For example, I could simply do server check on a player ONLY after they are confirmed by the server to be in a zone, so I can remove them. This would have the server only running 1 check per loop period and only on players who are already confirmed to be in a zone. This is MUCH MORE efficient than simply running a check on all zones on the server at all times. Once a player has been confirmed to not be in any zones at all, no check would be run. If no players at all are in any zones, there would be no loops running on the server at all. How is any sort or constant looping more efficient than my design?
Zone+ is probably the best way as @twinqle said. It uses raycasting and region3, really can’t get more refined. It is completely open-source and the functions and events are readily made for you.
.Touched is unreliable and exploiters can fire it or delete the TouchInterest/part entirely and .Touched won’t register.
Don’t use remotes as they can be removed on the client, thus making them not send-able.
Your options are pretty scarce here.
For what its worth to anyone reading this, Zone+ also uses client side checks
About - HD Admin and 8 more pages - Personal - Microsoft Edge (gyazo.com)
There is nothign fundamentally flawed by my approach that I can see yet, despite suggestions in this thread.
In my system, the client makes the bulk of checks, but asks the server to double check before applying any zone states. I am NEVER relying on the client for actual setting of states, I am simply asking the client to do the heavy lifting. The OP is pretty clear about that I thought.
Looking through the client sided example above, it appears Zone+ is doing the same thing.
Respectfully, calling my system flawed is baseless.
I’m just writing my own, does anyone do that still? 
Absolutely. Plenty of individuals use open-sourced modules for their own projects. I highly recommend you use Zone+ as it is the most reliable method AFAIK.
Perhaps you could try :FindPartsInRegion3 as clients aren’t able to delete Region3’s.
You could also try :GetTouchingParts?
Thanks, I dont think you read the OP 
I am using Region3
I did indeed read the original post, however you said you are firing remote events every second from the client to the server. As people have mentioned above, this is easily exploitable.
If you want a truly exploit-proof method, you’re going to have to use an event or loop on the server.
please re-read it for clarity then. I say CLEARLY that the client loops every seoncd and does region3 checks. IF it is in a zone, it then fires a remote to the server for VERIFICATION. If the server shows this is true, it will then apply the state.
this works flawlessly and is not-exploitable
The issue, again in the OP, is checking when the player leaves a zone, which CAN be exploited using the stated method.
Please read my response CLEARLY. I said you’re going to have to STOP firing the SERVER for VERIFICATION. You can EASILY DELETE the remote event and then IT WILL STOP firing the server, thus stopping the VERIFICATION.
They cannot spoof their location as the client has network ownership of their own location, the server can tell where the client’s character is at all times. If you aren’t firing the server, the location can’t be verified ever. If you’re using a loop on the client, the client can delete the script, then the checks will stop.
I don’t understand why you aren’t taking any of the advice individuals here have given you. Your method, as others have stated above, is flawed and easily exploitable.
that would be perfectly fine, its not the stated issue.
The issue is not wanting to create loops or events on the server, correct?
I created a Module where you can create a region on the server, using a part as the origin.
That constructor function returns a metatable with a custom bindable event that fires when the number of players in the region has changed and gives the playersInRegion array.
I do not use this module in the instance of safe zones where exploit-proof is imperative however, I believe this could be a solution to your problem.
When the server detects the player is in a safe zone, you could simply check a boolvalue in the player instance and vice versa for when they leave the safezone.
Using your client loop you could detect if the player is deleting said boolvalue locally, if they are then they are simply not in a safezone or you could do whatever else you want to do to handle exploiters in that loop as well.
That the basics, at least not constant looping. I do realize, in one of my posts above, that I can simply start looping on the server once a player is in a zone, but not before.
My resitance to using Zone+ is several thing, I dont want HDadmin in my game, it is required to use Zone+.
I just grabbed the module and right here, the code will yield unless HDadmin is in the game
local HDAdmin = replicatedStorage:WaitForChild("HDAdmin")
local Signal = require(HDAdmin:WaitForChild("Signal"))
local Maid = require(HDAdmin:WaitForChild("Maid"))
This is not acceptable for me. A simple module for checking zones for a player should not require an entire admin system and new maids that are redundant for me. If I need to rewrite the thing, why not just write my own?
Then delete the line, the script won’t yield.
I took a look at the code, it creates a folder named HD admin but does not install HD admin into the game. Read the whole thing before you start making assumptions.
lol are you even serious now?
the line requiring HDAdmin is then required for the sfollowing 2 lines Signal and Maid, which are then used throughout the functions, including the main constructor. You cant simply delete the line.
-- CONSTRUCTOR
function Zone.new(group, additionalHeight)
local self = {}
setmetatable(self, Zone)
local maid = Maid.new()
self._maid = maid
self._updateConnections = Maid.new()
self.autoUpdate = true
self.respectUpdateQueue = true
self.group = group
self.additionalHeight = additionalHeight or 0
self.previousPlayers = {}
self.playerAdded = maid:give(Signal.new())
self.playerRemoving = maid:give(Signal.new())
self.updated = maid:give(Signal.new())
self.zoneId = httpService:GenerateGUID()
self:update()
return self
end
Here’s some alternative solutions I’ve thought of, they may not be the best but hopefully one of these can give you an idea or help you in some way.
> I’m assuming your using some sort of sword etc… So I suggest checking the players health if they get attacked or are attacking.
> Once a player enters the safe zone it wouldn’t allow them to do anything as you said. But if a player somehow is attacked etc… whilst they have invincibility then it’d alert the server. Not the best way
> If the player leaves the boundaries then it’ll send them straight back in if they somehow still have invincibility. An exploiter could teleport out the zone. Yes but you could try and make a script to counter that. If the player suddenly moves to one position to another in a small amount of time it’d alert the server. That’d cover long range teleporting. If the player moves positions but there humanoid magnitude or walk magnitude (I forgot what its called) is nil then it’ll alert the server. But still, that does require a loop and might not be the best.
Then it clearly requries dependencies that are inside of the maid. If you want to recreate the entire module and its methods when it’s readily available for anyone to use, go ahead.