Alright, I have a very specific question about exploiters; when it comes to scripts inside of the workspace or their player… are they able to steal the code inside of the ServerScripts? I ask as I only know so much about what exploiters can and can not do. I know they can not steal Server Scripts in Server Script Service, nor steal any Module Scripts that aren’t connected to a Local Script.
Could someone do an updated view on this matter please?
No matter what circumstance exploiters cannot see server scripts.
So, they can not open them and steal the code? Even if it’s in workspace?
They cannot decompile them because the server script bytecode is not sent to the client.
Isn’t everything in the workspace or the player translated to the Client so the client can use the said code…?
No, a sever script doesn’t magically become a local script/module script accessible to the client when the object itself is accessible to the client. Just as the OP says.
Ok But I know Some Of My Friends Use Exploits In Their Own Games.
For Debugging And other Use.
Is That Against the Roblox Tos?
“If You Dont Ruin Others Experience”
Yes it is against the rules regardless of intention or who it is. You don’t need to use cheating software to test anti exploits – if you really need to test them use the command bar, but most bypasses should be caught through code review.
ok Thank You I Will Tell Them. 
i mean once youre Game/Anti Cheat gets Popular the Developers of Proto and Synapse would unpatch it
its an endless circle
very good post. I have learned a lot from this.
Let me see if I understand: if I have a game where I need to move 1000 parts in workspace via Render step, in Local script, an exploiter can hack its positions. So I need to move all these 1000 parts via Server, 60 fps, or 60000 requests per second between server and client? Impossible!
you shouldnt do that in the first place that’s a very unrealistic case scenario
Not at all.
Let’s assume a Tetris 3D type game, with pieces that “fall” with random positions and orientations. The player has to move the pieces with the mouse or keyboard, to fit all together. The faster the player can do this, the more points he earns.
Now suppose an exploiter hacks LocalScript to intercept and change the position of these pieces to fit them automatically. He will win unfairly.
The only way I see in this case is that the pieces are moved via ServerScript and not LocalScript anymore.
Then comes the big problem: the large communication overhead between the server and the client, making the game unusable.
Do you see any alternative that prevents the exploiter from altering the movement of these pieces?
You dont need to move 1000 parts per frame in that.
Also Since tetris is largely client sided, you cant do anything about that and you cant do it server sided because you need player input. An exploiter will always be able to spoof that. Also I think you are under the misconception that if something is being moved by the server, client no longer has control over it. this is wrong. The client can still move the part but depending on if youre validating on the server or the client this exploit may or may not work
this is also why exploits like aimbot and esp cannot be patched
Good exploiters can also change the source code of ModuleScripts.
I was just illustrating a situation. Tetris was just one example.
The server can interact in the workspace in the same way, changing the properties of the parts. But each interaction requires communication between the server and the client, generating a huge communication overhead, making the game unfeasible.
At the same time, my game needs to move literally THOUSANDS of pieces per frame in RenderStep. And this can be targeted by the exploiter.
In this case, nothing can be done?
the problem might not be with the server-client communication gap but instead with your method of handling the part movement. I dont see any reason to move thousands of parts every frame. What are you trying to do? If you prefer we can discuss this in DMs or at discord @MrTher#6969 I dont want to flood this thread
Tetris is a completely deterministic game, so it is actually a great example on what the OP is explaining. The server generates a seed for randomness, and then sends it to the clients. At this point, the entire game can run on the clients. You can proceed in 2 ways:
The client stores all the exact timings and inputs the player does. When the game ends, these inputs are sent to the server and the server runs a headless simulation of the game with them. The simulation is then used to calculate the real score.
The client sends the server each input as it comes, and the server keeps a mirror of the client game. The server can then check the validity of moves as they happen.
How about for a repetitive game with specific times to click (eg rythm games). What’s a good approach on that? As some exploiters may create a system to auto tap and fire (of course with mindless retries), and then be on the global leaderboard by cheating.
I’m thinking on completely removing the competitive aspect to the game due to this, which makes it less enjoyable for me and users.