How do I protect a remote from exploiters?

I am trying to make a Gui to execute code for giveaways (for in-game) and live events that can be made on the spot by Dev & Game Owners.

But I don’t want to end up making a backdoor. is there anyways to make one that can only be used by specific players?

Anything accessible to the client can be tampered with by exploiters. That’s why it’s best to have server side sanity checks for everything you do.

An exploiter can still change their UserId and name and the like, but it will only show on the client in FE games. So adding checks on the server is the way to go about it.

i.e., check if the UserId is the game owner, or high enough role in the group if the game is owned by a group.

You could assign these specific players a key, that allows them to communicate with the server. Then once the server connects to the fired event, it can validate the key that the client has provided it.

Edit: Another good option would be to have the server maybe store a table of players that can use the remote. Then, when the client fires/invokes the remote, the server can validate the request by searching through the table to make sure the client checks out.

Simply just a Module Script that creates the Live Events on the Server Side…
Only users with ‘edit’ permission to the game can run the Server Command Line in the Developer Console.

So then just call the functions manually in the Dev Console.

just tried using the key system… seems to work

1 Like

Using a key system is not giving your remotes any extra security. The client needs to send it themselves. That would be like me giving you 5$ but you not expecting me to know that I gave you 5$. Exploiters will always be able to see data passed through fire/invoke server. You should instead consider all the replies above: implement sanity checks like “is this user an admin” or whatever.