How to encrypt a string

So I am currently using a webhook to transfer and store backup data. How would I encrypt the webhook in the script so people don’t just copy it and abuse it. (We’ve had sabotages on our own team before.)

If you’re really inclined, you can encrypt using OpenSSL - Wikipedia, a good tool for cryptography.

(although… I do believe this is a bit extra for a discord webhook. Have a little bit more trust in your team.)

If you’d like to program your own encryption algorithm in-game, Wikipedia has the RSA algorithm in simple terms: RSA (cryptosystem) - Wikipedia

You might be able to use string.pack and string.unpack for data compression, but it might also work for data encryption.

I would love to trust our team more, but our team consists of hundreds of players.

Why? There’s no way all 100 of those players are necessary, and need to be in the server that webhooks are being sent to.

You could just use OpenSSL to generate a public and a private key, or you could remake the RSA algorithm in Lua (both work).

The real issue is that if untrustworthy people are able to see your server-side code, they will also be able to see the private key (as you have to have the private key in the script to decrypt the code and use the webhook!). Even mitigation techniques like putting it in a website and only letting Roblox servers access that site can be foiled if your adversary simply checks it in studio.

If it’s the only option, and you CAN’T trust your team, I’d encrypt it anyways, because I’d bet that some skid stealing a discord webhook has absolutely no clue how to decrypt RSA. You could also use other obfuscation measures like Lua obfuscation / reversing strings / things like that.

Although, I am warning you, this task is basically impossible. Anyone who has access to the script can simply copy the code, no matter how obfuscated, and run it in their own instance of studio to spam your webhook.

Not going to be possible unless you use some very heavy obfuscation to backup whatever encryption you intend on applying to it. (and having code inside of that obfuscation protecting some part of the webhook) People will very easily be able to decrypt it since they have the code.

A better option is to look at the root issue which is that people can spam the webhook right?

Don’t communicate directly with the webhook, instead communicate with it through a proxy, in this case a little web server which runs some code which is able to create a secured connection with a real roblox server (there is an API to be able to verify game id and job id and match it to IP addresses to verify if the IP communicating is actually from Roblox) Then also have an API key within that request that only you should know. Then as a final resort, make the webhook not hold any serious power and filter out messages sent to it to for example not be able to send @ everyone messages to the discord, and make it have a rate limit so it can only be requested so many times by a certain IP address.

As an extra precautionary measure, keep logs of which IPs are sending requests and what those requests consisted of.