I’m creating a game, and i’m worried about exploiters, and i don’t know how to create anti-exploits or something about avoiding stuff since they can be used to exploit. Could you help me? I hope you respond me and thanks 
2 Likes
Honestly, you will meet people who have been creating games on Roblox for years and are still not 100% apt at the security of your game.
This is largely down the always changing nature of the Computer Science world, and some key areas of research and development will include something called cryptography. This is just an example, but what I’m trying to add is that no matter what you add into your game to try and make it secure, there will always be people who will design new things to get round your current security measures.
For now, I suggest reading through this article on the developer site of Roblox: Security Tactics and Cheat Mitigation | Documentation - Roblox Creator Hub
This will give you a basic understanding of how you, as a creator, can maximise security. Luckily for us, Roblox themselves are always working on ensuring the safety of our games so as long as you can stick to that guide Roblox themselves should take care of the rest.
Hope this helps! -Tom 
1 Like
Remote functions and events are the best option for client-server communication, but they’re not necessarily secure channels. A clever hacker may fake a remote event or change the values that are passed along with it. Because of this, you should use basic server-side validation to confirm that the incoming request is legal.
Consider a game with a shop system. When players want to buy an item, they will interact with an interface on the client side, for instance a screen GUI with a “Buy” button. When the button is pressed, the client can send a remote event to the server and request the purchase. However, it’s important that the server — the most reliable manager of the game — checks if that player has enough money to buy the item.
I made a post time ago where i just tried to make a block where if you press it, instead of OnTouch script i will send a request to a remote event in ReplicatedStorage, but some people said that is not secure, so How do i make a server side client? since i can’t understand.
1 Like
You will hear the same phrase all the time, and it’s for good reason too.
Never trust the client
A lot of exploits revolve around finding loopholes in RemoteEvent security.
For example, you might have a RemoteEvent that gives the player money. The exploiter can spy on the remote, and then send the same remote event, with information that the client sees as valid, to the server. Without any security, this would give the exploiter money.
However, you can do sanity checks. Make sure you do these on the server, as the exploiter can change anything on the client, but not on the server.
For example, you have a RemoteEvent that gives a player money, that you fire from the client to the server.
You could add several sanity checks on the server to make sure that it’s valid.
An example of one:
- Has the player just done something to earn the money? e.g. have they bought it, won a minigame, etc
Of course, this won’t protect you from all exploiters. The way they work is finding loopholes in your code. Exploiters are relentless, and you’ll find yourself patching up things that they’ve found. They can fake anything, send anything and it’ll be deemed as valid. So, try your best to secure them now, experiment and then be ready to patch any loopholes that exploiters find later on down the line.
1 Like
Ok, so if I do something like this:
A script that if someone has money then will fire an event, another script will verify if the event has been fired.
The hackers can abuse this? If I do this then this will not happen?:
A script that if someone has money then will fire an event, another script will verify again if the player has money and if yes then the event will be fired.
Well, verifying by OnServerEvent will check if the event has been fired, that’s just basic callbacks. However, for anti exploits, you need to do sanity checks. Question yourself- is it possible for the player to get that money?
For example, they’d obviously be able to get money if they just won it (check for minigame finishing, things linked to it, etc)
But they wouldn’t be able to get it if they’re doing something that doesn’t reward you with money (e.g. standing still- plain example but you get the idea)
So, when you check for the event being fired, you can run the sanity checks.
A script that if someone has money then will fire an event, another script will verify again if the player has money and if yes then the event will be fired.
Correct me if I’m wrong, but this isn’t necessary. You can do it all in one script, but when you do OnServerEvent (which is in a script obviously), you do the checks then. That’s the only safe way you can verify it, but there’s no need to run multiple scripts to do the same thing- that’s just creating an unnecessary amount of load on the server.
One thing I could add on, is if your game has rooms people aren’t supposed to be in unless they are part of a group or completed a certain section of the game, you would want to implement anti teleport detection to avoid people getting into those rooms they’re not supposed to be in.
My method is that every 5 seconds I would track the position of a players Torso, then I would track its new position 5 seconds later. I would then use magnitude to determine if the player is VERY far from what it was 5 seconds ago. If the player is too far then :Kick() him for exploiting. Of course if you have things like admin commands you’d have to implement further checks to make sure it doesn’t kick those being teleported by other admins but you get my point.
TO ADD:
Also NEVER allow the client to fire anything with int values such as purchasing an item, or trading currency. That means running things like this on the client side:
--In local script
game.ReplicatedStorage.RemoteEvent:FireServer(150, "Sword")
--In Server script
game.ReplicatedStorage.RemoteEvent.OnServerEvent:connect(function(Points, Item)
--[[
The reason you don't want to do something like this is because exploiters can run events whenever
and if they can add their own values to events they can literally use these to break
your game. Always have shop prices or values SERVER sided. If you are doing something
where the player can type how much they want to trade to another player, then you should
implement checks to make sure the values are whole and above 0 on server side. Exploiters can
negate values and when used in subtraction equations they act as addition and before you know it
all of the players are giving themselves millions of points or cash. If anything, store all cost of the items in a module or inside of the event handling script itself.
]]
end)
1 Like
In my game that script is using my shop, how do I change it?