I’m working on a gun system using raycasts, I was thinking of doing the raycast on the client side for better performance and doing the sanity check on the server, I was thinking I would shoot an identical raycast on the server side and see if the two raycasts match up, only issue is the raycast is going from the player’s character position to the player’s camera LookVector, the only way I can get the camera LookVector is from the client, so to shoot an identical raycast on the server side wouldn’t help because the client can lie to the server about their LookVector position…
You can try using a remote function and invoke the client and on the client you can return the camera’s LookVector, but if exploiters get in the hang of that there may be some properties of the game allowing them to do such thing such as loadstring(), that’s just my suggestion though. You can also try naming the remote function something else to manipulate the exploiters and make them think it utilizes something else, plus they can’t see the scripts inside and see what is used to shoot because their Source property is locked by default.
there’s no way for sure to get any information about the client’s camera. you can use client-side methods to try and detect suspicious aiming(which ofc can be bypassed)
serverside sanity checks are necessary but don’t do anything against lookvector tampering, and it’s really hard to do anything against
You can’t run arbitrary code on the server without explicit definition on the server first; what you write on the server is what the server does, nothing more nothing less.
Don’t do it like this. Simply shoot a raycast from the character’s Head (or HumanoidRootPart.CFrame + Vector3.new(0, 1.5, 0) to prevent character animations from altering the Origin point) to the target mouse position.
You can also pass in a Ray object to the server to also run sanity checks on the Origin and Direction values.
Treat if all clients on the game lie about their arguments passed in. If you pass in a position value (Vector or CFrame, doesn’t matter) they can always be sanitized on the server. As long as you have some reference point on the server, you can sanitize virtually any client-influenced value.