As of right now, I have the server generate a random string (key) that is only sent to the client one time, that one time being when the player joins the game. Anytime the client fires a remote event/function, the key must be included. If a remote is fired and no key is sent, it kicks the player and logs their information to a discord server for further investigation.
The pros of this:
- The key is only obtained one time and cannot be obtained again.
- The key is different for each player
- Prevents remote abuse (I think)
The cons:
- If a player obtains their key through a remotespy script then the player can fire any remote they want.
- False detections may be common if a key cannot be generated or a remote event is fired before obtaining a key.
As for the script deletion, I have each local script loop a FindFirstChild event to verify that the script exists and isn’t disabled. I have a couple of other ideas for verifying the integrity of each local script, but I don’t know if they would work, nor do I know if they’re secure/working methods of checking.
Verifying client data every second could be a good idea, however Synapse comes with a built in remotespy script that could catch that encrypted data, which would allow them to manufacture fake client verifications meaning they could just delete the client checks without any repercussions. Although I do believe that remotespy is a fairly easy script to detect.
I think my best bet in the mean time is to go with the verification of client data because even though I explained how an exploiter could easily bypass it, I think I can still find a way to disallow them from doing so.