How would i create a good anti-chat for my fps game (e.g. anti-aimbot, anti-inf ammo, server side anti-walkspeed etc)

i have a client-sided anti-speed but i know it is not secure and can easily be bypassed.

where should i start. for noclip i could try RayCast from the last pos and if the ray hits a wall the player gets kicked (with a 2 stud leeway for laggy players).

would it be alright if i just made 2 client sided scripts that if one is disabled/deleted the other kicks you or is server side better

note: i have never really made an anti-cheat

No, do this server-sided. An exploiter can stop a LocalScript from running without using the Disabled property, or they can just delete both scripts before they can tell the other is gone.

Stuff like anti-infinite ammo is the easiest to implement. You can just keep track of ammo on the server and make sure the player has enough to fire when they try. You should already be handling everything on the server.

ok, how would i make an anti aimbot?

First off, clientside checks are underrated. They’re a great way of catching a large portion of exploiters who are ill-experienced and are just using other people scripts, but they’re not, as you’ve said, by any means a full solution to the problem as they can be easily bypassed and workarounds will be quickly developed, especially for popular games.

I’ll run through each of your problems;

Anti inf-Ammo

This is an easy one! You can make an absolute fix for this by storing the amount of ammo a player has on the server, and not allowing the client any access to it. If this isn't currently the case you have a major problem with the networking of your guns.

Server Side Anti-WalkSpeed

For preventing speedhacking, WalkSpeed is generally a useless property to check. If an exploiter changes their WalkSpeed, the server cant see it, and most speedhacks don't even change the WalkSpeed property. Here, you're going to need to track the player's velocity changes over a period of time (server side) and try to recognise anomalies.

Anti Aimbot

Aimbot is a very difficult one to fix, and detection methods for this are nearly always going to have to be client sided, you’re going to have to do some research and/or think about fixes yourself, maybe someone else here knows a great way of stopping aimbot.

NoClip

Similar to WalkSpeed, you should track the player's position Server side, draw a raycast between them and check for objects that would obstruct the player. This is a really hard one to nail as players can of course walk around objects and so accidental false positives are common with this.

Above all, do not let anti-exploits intrude on the actions of normal players. Err on the side of caution, unless you’re 100% sure, always kick, don’t ban, and don’t kick unless you’re satisfied the player is exploiting. Anti exploits can become detrimental to your game if you start detecting the wrong people or run processing intensive checks that stop players on low end machines enjoying your game. Good luck!

what would the average player velocity be? keep in mind i will also have cars in the game.
sorta like battlefield with tanks and stuff as i have not seen anything like it on roblox

To add onto this, make sure you have server side checks that provide redundancy. NEVER have your server checks reliant on the client’s honesty.

Check every little detail. Additionally, here’s some advice from a Roblox staff member:

a lot of the actual advise was removed from the quote. i suggest you read the full post.

WalkSpeed is measured in Studs per Second, with the default being 16. A super dangerous and false positive riddled check would check if the player has moved more than 16 studs in a second, or if their velocity is higher than 16. You’re definitely going to want to add a degree of error, maybe 10-20 studs, I haven’t researched this myself so I don’t know what would be best.

ok, i will keep that in mind.

if only i could add more than 1 solution, @SteadyOn and @ElliottLMz have both contributed hugely and @posatta has helped too

Client side security measures can always be bypassed, and server anti-cheats (if made badly) will use a lot of memory, or be too intrusive and mess up user experience.

You should focus on the basics, like tracking their ammo server sided. Or detecting that the player they’re trying to shoot is actually within range.

ok, should i do a client side as sort of a paper wall for people who know nothing about bypassing but people who know how to can still get past which is what the server side is mainly for?

I mean, that works until someone who does know how to bypass it releases said bypass, which people who know nothing are going to be looking for anyways.

true, how would i do anti aimbot though? i still need to make the bullet drop btw

Detecting aimbot is something nobody has ever truly figured out. In fact, there are cheats that don’t even inject into the game, but instead use neural networks and pixel color detection.

If you detect it on the client, there’s nothing stopping me from just disabling your script. On the server your only bet is to try and detect anomalies, like check if a player is shooting too fast, or isn’t within range of the target they’re shooting, lookVector isn’t proper, etc.