How do I make this client-side melee hit box more secure?

I am doing hitboxes on client side then detecting targets on server side, I have already made a distance check so that exploiters can kill everyone around the map, but something that I worry about is how the player can just walk around in somone’s area and abuse the remote and hit players nearby without clicking. How do I prevent this?


	local function Hitbox(Damage, Long)
				local R ="HumanoidRootPart").Position, StandModel:FindFirstChild("HumanoidRootPart").CFrame.lookVector * 100)
				local IgnoreList = {LocalPlayer.Character or LocalPlayer.CharacterAdded:Wait()}
				for i,v in pairs(workspace:GetDescendants()) do
					if (v:IsA("Part") or v:IsA("Accessory") or
						v.Parent.Name == "TWAU" or
						v.Parent.Name == "EchoesA3" or
						v.Parent.Name == "DiverDown" or
						v.Name == "Part") then
				local v = workspace:FindPartOnRayWithIgnoreList(R, IgnoreList)
				if v ~= nil then
					if v.Parent:FindFirstChild("Humanoid") and v.Parent ~= LocalPlayer.Character and v.Parent:FindFirstChild("Deb") == nil then
						local Deb ="BoolValue", v.Parent)
						Deb.Name = "Deb"
						LocalPlayer.Character:FindFirstChild("Remotes").Combat:FireServer(v, Damage, Long)


script.Parent.OnServerEvent:Connect(function(player, target, damage, long)
	local magnitude = (player.Character.HumanoidRootPart.Position - target.Parent.HumanoidRootPart.Position).Magnitude
	if magnitude > 15 then
	local BV ="BodyVelocity", target)
	BV.maxForce =,25000,25000)
	BV.Velocity = player.Character.HumanoidRootPart.CFrame.lookVector * long
	local S ="Sound", target)
	S.SoundId = "rbxassetid://131237241"
	S.Volume = 0.75	
	S.PlaybackSpeed = math.random(90,110)/100

Use dot product so they physically have to be facing the object or they have to do some complex maths to find the value for it

Yes, I could use that, but how do I detect that they are clicking? Because I dont want the exploiter to just face someone while spamming remote event (i already added a check in between remote event durations so that they cant spam it)

have a count interval and make it so if it is a fraction of like 50 for example it wont work, and on the server make sure to check their fraction count divisor to make sure it didnt change. If it did, kick them.

No like I already did that but like Im saying that I was going to use dot product but I dont want the exploiter to just face the enemy and fire the remote to deal damage, i want the exploiter to actually click to attack

have the remote send there position and compare it to the others with serialization to make the dot product check faster

no I don’t think you’re understanding my question. If I add dot product check, the exploiter can still fire remote without clicking while facing the target. I want the exploiter to click to deal damage

Like are you asking how to detect when the Left Mouse button is Clicked?

Yeah basically, like how to detect mouse button is clicked and if there is no detection from the mouse when the remote is fired, it can either return or kick the client

Not really possible besides using server sided cooldowns.

You can use the MouseButton1Click function I guess. Then just put your code inside of it.

Would I put it in the server script? like the one i posted above

overall it looks pretty safe, except that you should make the server check the debouncing and creating the “Deb” instead on the client side

No. Local Script. Once the Left button is clicked, call your functions within the MouseButton1Click function and fire the remote event. I’m not sure if this is the safest way to do it. You might have to add a cool down in the server script to check and make sure that people can’t spam click the function.

Put it in the local script actually. I edited my comment above a bit.

Wait why should deb be on the client side instead of the server side?

I already did Mouse1Button in the local script, that was just a snipet of code for the client, anything else I need to do?

I feel like as long as you have a function detecting when the mouse button is clicked, you should be fine.

I’m trying to fix it where an exploiter can literally attack without clicking

I said the debounce should be on the server side instead of the client side. In your scripts, the client one was the one that’s adding the debounce to the target humanoid, then firing the remote, while on the server side you have no checking if the target was already hit/have a debounce or not, that means once the player gets in range of a target, and if they are an exploiter they can just mass fire the remote and bypass the cooldown