How do i secure my remote event?

Hi!
I making a sword, i used remote event to fire to server then server will deal damage
but i worry about security because when i fired it i need to enter character to deal damage, it mean i failed security about remote event, but i don’t know how do i fix it

this is code I used in it
On server side:

script.Parent.DealDMG.OnServerEvent:Connect(function(plr,chr)
	debounce  = false
	local a = game.Players:GetPlayerFromCharacter(chr)
	print'no'
	if a then
		chr =a.Character
		print'plr'
		if a.TeamColor ~= plr.TeamColor then
			
			print'ha'
			chr.Humanoid:TakeDamage(10)
			if chr.Humanoid:FindFirstChild("Tag") then
			chr.Humanoid:FindFirstChild("Tag"):Destroy()
			local b = Instance.new("ObjectValue")
			b.Parent = chr.Humanoid
			b.Name = "Tag"
				b.Value =  plr
			else
			local b = Instance.new("ObjectValue")
			b.Parent = chr.Humanoid
			b.Name = "Tag"
					b.Value =  plr
					wait(0.1)
					debounce = false
				end
				
		end
	else
		if chr ~= nil then
		chr.Humanoid:TakeDamage(10)
			print'self'
			wait(0.1)
			debounce = false
		end
		end
end)

Local script in sword (just some of it)

Hitbox.OnHit:Connect(function(hit, humanoid)
	dealdamage:FireServer(hit.Parent)
end)

Thank for all answer and sorry for bad english.

Try to do some research on sanity checks.

What is the issue? It seems like you’re dealing 10 damage regardless what the client sends?

I’m not sure the details about exploiting, but a basic sanity check is checking if the player actually clicked the weapon when the server is fired. For instance;

=== [Client Side] ===
local WasWeaponFired? = false
local Damage = 50

tool.Activated:Connect(function()
     WasWeaponFired = true
     game.ReplicatedStorage.RemoteEvent:FireServer(WasWeaponFired, Damage)
     WasWeaponFired = false
end)

=== [Server Side] ===

game.ReplicatedStorage.RemoteEvent.OnServerEvent:Connect(function(player, WasWeaponFired, Damage)
     if WasWeaponFired == false then return end
     print("Player Clicked Tool!")
end)

Basically if the RemoteEvent was fired without the player activating the tool, don’t allow the function to happen. People put advanced code there as well in replacement of the return such as a ban function if it fires without the tool being clicked 3 times, or a warning system.

They can easily bypass that check.

Notice how I said a “Basic” Sanity check and “I’m not sure the details about exploiting.”

EDIT: Not knowing about how to exploit doesn’t necessarily mean I have no knowledge of Sanity Checks.

EDIT: Why would I make a complicated system for him to follow here? He should discover how to do that on his own. I was just giving him the basic understanding.

Yes, it is basic, almost to the point to being useless.
You should implement more advanced checks than that.

EDIT: You shouldn’t even tell the client the damage it should deal, as it can be abused to the max.

Use a sanity check. Double check that the information the client sent matches what the server sees.

Well, you should treat your client code like it can be modified or changed. I wrote a fairly detailed article on game security in Roblox which goes into way more detail than I do here if you’d like to read it.

Basically think like your client code will always be something that can be changed or rewritten by an exploiter. An exploiter can, for example, call DealDMG:FireServer(character) whenever they want, and, based on your checks above this will just work regardless of whether the person used the sword, if the sword actually hit, or if they’re in range. This isn’t what you want (obviously, that was your question in the first place). Instead, you want to check if it makes sense, in other words, as said above, a sanity check. A simple sanity check for swords is to check the distance between the two players. You can assume that a target (hit) player’s HumanoidRootPart position can’t be further than the length of the sword give or take a couple studs. For example, distance <= swordLength + 2.

Another, very accurate sanity check is to raycast from the base of the sword to the tip of the sword. (I highly recommend using the new workspace:Raycast() function, the existing raycast functions were just deprecated and are harder to use in this scenario).

Similarly, for guns, usually you’ll simulate the collision on the server. If guns in your game were to use raycast, you might have the client ask the server to shoot a bullet. The server then does all of the work. On the client, you might also have a copy of part of that code to show the bullet being shot for them. If guns in your game used physics, you could do the same thing, just have the client ask the server to fire the gun (or start firing the gun if its auto). The server then decides when damage is done (and again the easiest way is a raycast).

Your sanity checks should never be based on information sent over the remote. For example, sending a swordEquipped value over the remote is pointless because an exploiter can again, basically edit your client code or just write their own.

Uhh sorry, i edited my code above

I already know about it
but i don’t know what to check.

You can’t put that damage like that. Any exploiter will fire (deal damage remote) in while loop and put the argument Character, then kill everyone.

I already try to discover how with myself now, but i really don’t know how, so that why i opened this topic

I already have these check on the server side:

1. I will do not tell damage that should deal
2. I will stop the function if tool isn’t on player character

This is thing what i have problem with

1. Server need player character to deal damage but exploiter can just forward FireServer(character)

It’s problem i have.
I don’t know how i can secure it.

I think put it in script not local
like put in script if sword touched then it damage

If i do that, all character that touched sword will have damage, it do not fair!

Like which characters do you want to damage?

You mean like you wont know who touched the sword??

Any, but i want player must activate the tool first. then we’ll deal damage he

I used RaycastHitbox to make Touched event