Hello,
I’m trying to make a service which Roblox uses but I was to stop abuse. Currently the only way I know of is to check “Roblox-Id” but that can easily be spoofed. Is there a better way? An IP range? Thanks.
1 Like
You could also send a string (ideally as a header) that’s randomly generated beforehand.
You store that on both your Roblox project as a Secret, and also somewhere on your application.
If your application would receive a request that doesn’t have a header that matches that string, refuse to process it.
Although in this case, you should absolutely use HTTPS.
Disclaimer: I’m not sure if the Authorization header is already used by Roblox, but the essence is the same.
1 Like
The issue is that this is open source and I don’t want people forging requests to act like they’re a game server when they’re not. I’ll recheck the headers later to see if it sends authorization.
That makes zero sense from a security perspective.
You don’t want people to forge requests from outside a game server… when they can just spin up a game server and make funny requests that way anyways?
What are you making anyways? Is there a reason for this odd security?
Python-based application server.. It’s open source to help get some trust but that might be a bad idea if people end up botting likes on apps. I disabled installing other servers on the Roblox side due to this concern but I probably didn’t need to do that. I’ll keep trying to think of solutions but the only thing I can think of it authentication headers for some games
I’m not entirely sure why there’s a need to establish trust in the source code (not until you can tell me what the application does exactly):
But putting it as open-source is fine for that purpose.
That said, you could do what most major APIs do - provide a unique API key of sorts to users that they’ll attach to their requests to your application.
It won’t stop attacks, but at least you can revoke keys and handle abusers accordingly this way.
1 Like
