How can I check client sided exploits from a server sided script?

I’m making a new game, but exploiters may be a big threat to it. I want to prevent client sided things like no clipping or btools. I know I can do this by a local script, but that isn’t really efficient and very easy to bypass, and I’m not really sure how to implement these checks from the server side (because it would be very difficult for exploiters to bypass). Is there any way to do this?

(i’ve already figured out how to prevent walkspeed and high vector3 movement to prevent flying and speed exploits so I am not really looking for that)

Any help is appreciated!

1 Like

If you detect anything on their client fire a remote in the server to kick them client kick is not efficient as opposed to server kicks

It`s Impossible to do so

You can’t.

The simple answer is that you simply cannot. Since they are created locally it is impossible to listen for these things being added from a server script. Instead, structure your game in a way that using btools or noclipping wouldn’t matter. I have seen instances of raycasting being used. If the raycast goes inside a part, then the player MIGHT be noclipping.


Do exploits create scripts upon execution? If so, why couldn’t they check for a new script on the client side, and then kick the player if a new script is created using remote events?

The thing is a localscript is not required for executing code. I thing @Autterfly said this but I could be remembering incorrectly. Pinging autterfly for input.

Using remotes for an anti exploit is a horrible idea since the client can choose to not call :FireServer or constantly send back OK arguments. And if using OnClientEvent they can disconnect the function.

1 Like

they can even delete the remote events very simply

1 Like

what if i need to make sure btools is being detected or a part is deleted? also ill try ray casting out and see what it is

Don’t. For the former you need a localscript which is instantly gonna be bypassed. For the latter this could lead to false positives if part deletion happens naturally (i.e part of the game, like a mining game where you delete stone or something)

I’m making an obby and i want to make sure people can’t delete the kill bricks. Is there any way to do it so it cannot be bypassed? I’m not worried about false positives because I have all these kill bricks in one folder in workspace.

You can instead use a region3 that covers the entire killbricks instead. You would have the kill bricks still for visibility, but you have the region3 on top which they cant delete.

Unfortunately exploiters are a huge problem for developers.
All we can do to protect our games is to build detection scripts, and make traps so they could easily expose themselves.
A detection for btools could be detecting on the client if any explosion or part has been destroyed, making sure that the server didn’t do that. What I use to make that is a simple remote function, and whenever a part is being destroyed from the map, using DescendantsRemoving event, I check if it is a player’s character or a normal map, then I fire the remote function to the server and check if the part exists on the server side, and if it does then I easily ban the exploiter from the game.
If you’re deleting parts from the client you could make a whitelist you can iterate through each time something dissapears and check if the part deleted is being whitelisted.

Another method I use to catch exploiters is through remote-traps.
Those are just simple remote events / remote functions that have names such as GiveMoney, KickPlayer, etc… Something that the exploiter would fire from this executor.
And on the server side I just ban the cleints who fired the remote event / remote function.

Of course there are many and much effective solutions and detections, maybe more precise than mine, however you could aswell try my methods and improve them so you could expose exploiters, and ban them from your game. I think that there are plenty posts here on devforum explaining exploiting and how to protect our game’s assets and security aswell.

EDIT : The best detection would be using DescendantRemoving event, and checking if the exploiter deleted something from your game.

1 Like

I said I wanted to check stuff from the server side if it was possible to not use the client side. Players can just delete stuff from the client.

I used ray casting and it actually worked, perfectly as I wanted! I’ve marked your answer as a solution. Thanks for helping.

Everything that a client does, isn’t replicated on the server, besides position and a couple of properties, thus every check you can do is only on the client.