Since plugin source can be viewed from files the link to post the contact form can be exposed easily
is there some method i can use to securly post data like some apis as its imposible to use an data store
you should setup a server that has api key and will send some request to the server
May be when the user put the files in studio check the user id of the guy who is viewing the content if it’s other person like that’s not ur id then destroy thr script or troll him by saying smth idk if that posibble but it’s will be cool
You can’t run scripts without play-testing or running the server.
With plugin u can like the user got the file ok? But he got it cuz he is using the plugin too! So u can check from the plugin like check if anything added in the game.ChildAdded:…
So u check if the script that was ur plugin how u check? In the script u can add attribute for example PluginKey so it check it’s a script? If yes then check if it’s have the key so the plugin destroy it well the user can turn off the plugin and it will ruin everything sadly
Roblox have to do smth with that!
If you have control over the server that recieves the form requests, you can probably make it reject any user agents that dont match up with roblox studio.
there still problems then as users can use the key with thier own scripts in studio still comming from studio and servers are expensive
There’s nothing you can really do to prevent people from accessing the form URL, aside from heavy obfuscation (which is against TOS).
The only option is to secure it server side by checking user agent, and ratelimiting.
I have an idea for Roblox which is:
When creating plugin u can add key or smth or it generate it automatic or
Roblox add to data the creator id for example when i create plugin and publishing it the script it’s self have my user id then when someone tried to put it in the explorer Roblox have to add system that checks for the scripts and check if it’s u are the owner of the plugin or not if not then the script gets deleted instantly i hope they do that it’s better
I’m not sure whether this helps with plug-in code but for experience scripts there is a Secrets system that you can use to add a private key to outgoing HTTP calls. You set the key in the creator web interface so it doesn’t need to be included in your game code.
https://create.roblox.com/docs/reference/engine/datatypes/Secret
The secrets are set in the Creator Hub Dashboard by clicking on an experience and then Configure > Secrets. While you’re developing you can set up testing secrets in the Game Settings > Security section after Allow HTTP Requests is turned on.
Can’t really do much to “hide” things inside of a plugin, as you can just decompile / view the source code. Your best bet is to create a web server and have the response of the form be logged there. As for security, you could either make the users enter an access key which you give out or create some other form of authentication.
If it’s just for communication, it honestly probably makes more sense to just direct users of your plugin to a discord or something.
If you want to hide an api key, you’d need to set up a server for that anyway tho.
But:
one could simply send requests to any server you set up, user-agents like any header can be simply set after all.
And even if you implemented your own authorization logic, one could simply use whatever token you give back to spam you.
Rate limiting could help a bit, but VPNs exist. And if you rate limit too much, it might break things for legitimate users.
That only works for games.
I know, but there’s not really any way to completely prevent abuse. But the idea is to just make it harder, and these approaches seem good enough for most online services.
I’m not sure what the contact form is being used for, but chances are the user doesn’t need to use it more than once per minute or so.
Actually, now that I think of it, what OP could do is require the plugin user to use some sort of authentication method where the user links the app to their roblox account, and then use that to generate account specific keys that are required to use the form. Then, the form can be ratelimited by account.
Of course, someone could make a bunch of Roblox accounts to spam the form, but given how much effort it would take, and how easy it would be to just ban those users from using the form, it should deter almost everyone.
Plugin source-code cannot be view in files when you install from toolbox in contrast if you install as local plugin then source-code can be view in PC files or you give them local file then only source-code can be viewed.
Obfuscation is your only awnser, however its not good having an obfuscated code in a plugin, would seem shady
It definitely can be viewed. Web browser extensions allow downloading free models, and even show their contents briefly
1 Like
it can all plugins are located in a folder with your userid and containg the plugin version and the plugi as rbxm file