How can I make a good anticheat for remote firing?

I am aware that every anticheat can be bypassed but I want a good enough anticheat that is really hard to bypass.

I have tried remote name changing, firing remotes through a module with protection (along with remote changing) and it still seemed to be bypassed. I have looked on here for solutions but everyone’s answer seems to be “it’s not possible to make a good anticheat” and that is just not what I am looking for.

Please hint me in the right direction! :slight_smile:

Three words.

Server Side Checks

Almost any anticheat you make can be bypassed so this is one of the essentials. Never trust the client, always do checks on the server whenever a remote is fired to determine whether the client was supposed to be firing that event.

And yes, you might think lik oh thats not exactly reliable but the truth is scripters rarely deal with anti cheats, unless much later in devlopment. As a bonus, here is an execellent article on Exploiting.


The simplest way to protect RemoteEvent objects which fire the server is to pass zero arguments to them.

This kind of defeats the purpose of remotes. How can you instruct the server/client to do something if you don’t pass any arguments?

If you dont have to pass arguments, don’t do that. I’ve seen many people send useless arguments within the remote, when they could just use it directly on the server.

If you really need, I believe you’d have to do sanity checks on the server.So even if the exploiter unpacks the arguments or does anything else, it wouldn’t work for him.

This video(by @5uphi ) explains it pretty well


To expand on Server Side Checks it’s important to know what is and is not server side. A often surprising remote event is all Touched connections. clients can fire a Touched event at any time for any object they please. The server needs to check distance on vital events for genres like capture the flag games.

If you posted more concrete examples of what your remote events are in charge of we could help with the specifics, otherwise we can only say do server side checks.

1 Like

The ‘RemoteEvent’ object itself can represent its purpose (without relying on its arguments to indicate its purpose).

Be that as it may, if I have a remote event Give10_000Dollars:FireServer() and I don’t put a server side check on it it’s just as exploitable as GiveXDollars:FireServer(10_000). Passing arguments isn’t the problem it’s implicitly trusting the arguments that’s the problem.

1 Like

Both inaccurate analogies of what I’m describing, if its existence was completely necessary it’d ideally be named ‘GiveDollars’, the server would then appropriately determine how many dollars to award.