NEVER trust the client!
Try to secure as many remotes as possible, especially those with the most vulnerability, such as currency and things related to that or of equal importance.
Add basic exploit detection and prevention, meaning if the game is around sword fighting, try using HBE detectors in order to automatically kick them, remember most scripts people use are completely automatic and they’re run off their 20 dollar injector.
Whenever you see an exploiter, make sure to have an active moderator team on standby, most moderators work for free as they see it as a privilege rather then a job to be moderating for a game they enjoy and love so much.
Try to hide your Anti Exploits in the animation scripts or such, as this will help insanely with detering exploiters who use dark dex or spy.
Make sure to always report any exploiters to Roblox, as they tend to IP ban them as well.
Follow the basic FE tutorials on the forum as well.
Good luck on scripting and I hope your game does well!
As for the money exploit you could keep track of users money in a script instead of a int value…
As for Remote Event Spam I wouldn’t worry about it too much as long as you have a good system in place for coms with Remote Events. I wouldn’t make Remote Event names obvious, I’d give them a random name that way if you have multiple Remote Events its harder to tell which one is for what on their end, Obv. you would want to keep a track of the RE names.
Edit:
I do have to say though, the game looks amazing.
Try to make the game actually playable though. Its better to have a few security flaws if you must for better gameplay. For an admin system I am working on called Barren, I have a script that will automatically send notifications to us on discord if a person has suspiciously high amounts of items, which we can then check their inventory.
The most difficult types of games to make anti exploits for are fps shooters. You have to either choose to shoot a bullet from the server which you can’t really exploit, unless they teleport, but trade offs are like hit detection being weird and yea. Also the game looks pretty nice good luck on it!
Unless you’re performing strenuous logic or creating a lot of instances on the server per event invocation, this won’t be an issue. There are internal limits in place for client → server communication to prevent denial of service attacks through event spam. If you want to prevent logic from being carried out multiple times in quick succession, implement a debounce on the server per user using the leaky bucket method (recommended because the server isn’t guaranteed to receive data in the order it was sent, this method should effectively deal with that).
Make sure to search your datamodel in studio for any unrecognised scripts, your place file could contain a backdoor giving users server-side access. Ensure hidden objects is ticked in studio → settings. Perform a code review on any studio plugins you are using. If anything looks suspicious or is obfuscated, you should uninstall it.
Follow the above quote and ensure you are performing the proper validation and logic checks on the server. Don’t rely on input or information on the client. If an event handles damage, determine on the server whether the user is close enough and able to damage the victim, and determine the damage on the server (i.e don’t send it from the client, it can be manipulated).
Here is a nice article for you to read which goes into further detail about the topics I mentioned above.
Definitely make sure you’re not in Experimental Mode and have FE on.
As for the hacks, make sure things like money is handled on the server, make sure there are no remotes that can be abused if you send the wrong arguments, and make sure that nothing relies on the client.
Seriously the only “guide” there is for anti-exploits is never trust the client. Assume every single player is the world’s best hacker and will get around your system in any way. (Obviously make sure the system isn’t going to just penalize every player, but still don’t trust them.)
You can also add checks for different values like money and stuff. If money gets increased suspiciously high, and no script has put out a signal that says that it should be changing, lock it and flag the player to a moderation team (if you have a moderation team). From there, you can decide what to do with the player.
Your hacker has told us how to get infinite money and that is by spamming this remote.
To fix this, make sure you put a debounce on the remote so it won’t do anything until the previous client fire is handled. Make sure you are checking it to make sure its legitimate from the server and don’t do anything based on the client.
Checked for backdoors after turning off hidden objects — can’t find any backdoors (which makes sense as I basically made everything). It seems the issue is remote events trusting clients
Also, you can prompt a purchases on the Client without using a RE to have the server prompt it. If the purchase completes the server will recieve a notification so you can handle it on the server side without telling the client to send that to the server. Give it a try in a test place! (I can also make an example place if you want.)
Example:
Gui button on client → Client localscript prompts a purchases
Client buys it → Script on server recieves notification by api → Code to give stuff.
You could easily setup some sort of strike system. After adding sanity checks to your remotes to secure them, simply store the number of times a player has sent bad information to the remote. If they get a certain number of strikes then kick them. There is probably 100 different ways to secure remotes but this would be a good place to start. Also never have the client tell the server to do something that the server already knows/can do itself. In other words why tell the server that the client purchased gold? Why not handle the entire purchase on the server? Have the client tell the server that it is “attempting” to purchase the gold. Little things like this make your game more secure.
Actually if you’ve checked it out, purchasing gold is done via in-game currency, meaning it isn’t a part of MarketPlaceService. You can’t use the security of MPS because it does in fact have to be with a remote event. However, you still have to do security checks to make sure it isn’t an exploiter.
The client shouldnt even have to tell the server that, the server should already know the price of each item. The client should just tell the server what item its trying to buy.
As far as I know, Roblox has limits on how often a client can fire remote events/functions. If a given client is spamming a remote, after a certain threshold is passed roblox will start timing out the client.
I do not have a direct source for this information, if I find one I will update this post.
You can exhaust remotes but you can still easily crash/lag servers by spamming them if thats what hes talking about, especially if the remotes error or you just have some heavy code running each time. (Unless something new came out limiting remote spam more?)
I recall an engineer stating in some thread that they’ve made remote throttling better, and that they couldn’t be spammed by exploits as easily. I don’t remember which thread it was, it was sometime in 2018.