How do I validate client sided sanity checks?

For example, let’s say I Invoke a request to the server from the client asking for the player’s damage stat. This invoke then sends back the damage stat back to the client. How would I protect this information against any unauthorized changes to the stat that gets invoked back? Of course, there are better ways to do this that don’t need an invoke, but this is just an example to help explain my situation.

Since exploiters can intercept data going to or coming from the server, is there even a way to validate this information? If not, what alternatives can I use?

The only way exploiters can influence the result is by sending in different arguments. If the damage stat is on the server and the client requests it through a remote function then it should always be accurate

1 Like

Encrypt the information and put it into a long table filled with mess. This way only you know which one holds the information. And any kind of decryption software they are using will have a very hard time as it wont find any patterns.

Well, since exploiters can change the data on their client, it would be unsafe to use remote functions to receive the player’s data. You should consider making your stat-server sided, then you wouldn’t have to interfere with the player’s client.

I think you may be underestimating the power of deobfuscators lol.

1 Like

+ behavioral patterns can be observed. e.g “when I do X, action Y always happens” and they can just look at context from there. So I don’t think encryption would be useful here lol

Hm, @sjr04 told me the opposite, is there any where on the DevHub where I can read more about this?

Honestly, there is no known way for the moment, data you pass through Remotes will be vulnerable. The only thing is, if you have for example, a damage number, how much damage you want to hurt the player and want to pass that through remotes, you can easily do that in the server.

Try to supress the amount of data passed through Remotes as that is currently, what I think the best current solution.

Theres more you can add.

Key things:
the shorter the data passed through the harder it is to find the key

characters reoccurring is what it mainly looks for (these will be likely to pair with some letters like ‘a’ , ‘e’ as they are often used.)

There is a lot more you can do to hide your information.

  1. Space it out in with random characters
  2. Split the information into fragments
  3. Put it into a table that has a bunch of random strings stored
  4. Alternate between encryption keys

My information being fed could be split between all three. And each might only carry a few characters. This means finding a pattern wont really happen. because I could have put it in backwards, and split up the pieces and combined them with random string. It cant find the key while its fragmented and corrupted with random string.
and without any pattern to find the key or to fragment and corrupt the data, it would be safe.

Its purely how you approach it.
as I said before there are a ton of combinations, and it wont be able to find any pattern if its like this.

Sounds neat, although I would still never rely solely on obfuscation, maybe a mix of both at most.