How can I secure my game from exploits?

I am working on a racing game with a few of my friends. However, the cars work in an animated fashion, which means that they run on the client (because they use renderstepped). How can I go about making the game secure if much of the gameplay has to be done on the client anyway? I understand how to secure stuff like the shop or admin commands (since I already use remote events for those to prevent exploiters from abusing that), but how would I go about securing a script that can only run on the client and cannot use the server?

You would need to observe the car’s movement on server to see if its moving too fast, turning too fast or flying or such. Quite complicated, needs some work.

1 Like

Bad Idea, As It Can Lead To False Reports If Player Has Bad Internet The Server Will Think They Are Cheating…

Server-sided checks. Client stuff can be bypassed. Anyone who says otherwise have lost their minds and should probably eat a donut at 5am to regain max efficiency. That or McNuggets.


This is why you don’t insta-ban. Instead, for example, if you see player travelling too fast, simply teleport them back.

With regards to just teleporting them back, I think it is much easier to just kick them overall since if they change the speed of their car, they’ll keep the speed and I will have to do an anti-exploit on the client. So overall what I do is the server just checks if they are speeding, then waits a few seconds and checks if they’re speeding again. If both criteria are met, the player will be kicked.

Stuff like vehicle mechanics can be sanity checked by the server. If your mechanics are exploitable to the extent where you need a “client sided anti exploit” to keep it secure, you should probably consider rewriting said mechanics.

I already wrote a server side anti exploit inserted inside each car that takes note of how fast the car is moving, and how long is it off the ground. If something seems off about the speed or the time off ground, it’ll wait a few seconds and check again. If it’s off after a few seconds, then there is a really good chance the player is exploiting, and they will be kicked.