I think the title is self explanatory, I want to know if hackers can steal workspace scripts, so I can set some scripts in ServerScriptService. Thanks for reading.
4 Likes
It doesn’t matter where the server script is. Exploiters cannot steal server scripts because their bytecode is never sent to clients. Though workspace isn’t just a place to dump server scripts. That is what ServerScriptService is for.
25 Likes
Like what @incapaxx said, the contents of ServerScript objects can not be decompiled from the client. What can, however, is anything replicated to the client, the content of LocalScript objects, and the content of ModuleScript objects that are replicated/required by LocalScript objects.
3 Likes
Basically what Edgy is trying to say;
Any ModuleScript or LocalScript that the players have access to see using their clients (which includes the ones in workspace), can be de-compiled by exploiters. Scripts on the other hand, no. Only the server can see those.
You can check what the player has access to by adding Dex to yourself using Adonis or any other admin that has it.
6 Likes
Better just to put all your scripts in ServerScriptService. Although the client can’t see the scripts, if someone were to, for example, unfortunately exploit copy your game, they wouldn’t be able to retrieve the code. On the other hand, if they copy your place and the scripts are in the workspace, they would be able to steal the code.
1 Like
No. Only LocalScripts and ModuleScripts that can be seen by the client (in a service that is replicated) have their bytecode replicated to the client. So any scripts that are in ServerStorage/ServerScriptService will not be replicated to the client. (including LocalScripts & Modules)
1 Like
I’ve had an experience where someone exploit copied a place of ours, and retrieved everything in the workspace (including some scripts) last year.
I am pretty sure exploiters are capable of taking scripts in the workspace if they copy the game.
They never can see normal scripts without having backend access. They either had access to your game using studio, or they had a backdoor.
1 Like
The only scripts that can be decompiled and read/stolen are LocalScripts and ModuleScripts. If you only use a ModuleScript on a server, it’s recommend to hide it in ServerStorage.
1 Like
There is no way exploiters could access server scripts, but they can take your local scripts. Keep your server scripts and ServerScriptService though.
Exploiters can definetely steal workspace scripts. Keep client-side scripts basic as possible and use RemoteFunctions to keep important stuff in server.
1 Like
No…but here’s the loophole. If it somehow gets replicated, whether that be automatically, Purposly or through exploiting; It can be.
I’d also like to note that some of these other reply’s while not all out wrong, more half-truths are misleading and it’s best not to state something unless you’re sure.
Wait so is keeping any kinds of scripts on “ServerScriptService” safe from exploiters?
Yes, because it’s encrypted in the server, you can’t access server stuff. Try it in Studio, if you put something in ServerScriptService or ServerStorage, you will not see anything if you play as client.
Oh alright, because I also had this question on how I can keep my scripts safe from exploiters, it can really help me now! Thanks for the info! 
Well then you are sorely mistaken. If someone has your game including server scripts you or another developer for that game had their account compromised. The only other way that something like that would happen is if someone had found an exploit to download assets they didn’t own on the website. (Last time this happened was in September 2017 from my recollection)
3 Likes