There is no perfect server anti-cheat in a game. Every anti-cheat has its own advantage and disadvantage, with much more disadvantage than advantage.
The reason why there are many local script anti-cheat is because of replication. There will be a delay in the communication of players and the server. There are also objects that exploiters will add to the game but won’t replicate to the server. Using a local script, you will see the client’s own perspective of the game. However, this has a disadvantage of the exploiter just deleting or disabling the script.
@AC_Starmarine Please send your solution in one message instead of a one-by-one.
@ScriptedSuper LocalScripts are not replicated to the server. If you try to index an object in the server that only the client can see, it will be nil.
No, that isn’t how all exploits work. There are some exploits that load before the player can join or even their client loading.
Well, the only way to actually defend against exploit injectors would just be to check the spikes in the client’s memory usage which has to be done on the client. So there’s not that much you can do except try to do some exploit checks on the client but those exploit checks are vulnerable to just being deleted.
@DogGuyTheThird Anti-cheat in the server is a very broad topic. There will be ups and downs.
Instead of worrying about exploiters, worry about the logics and system that you will add in the server. Every mechanics in the server should be secured, e.g shop system, communication between server and client, and many more.
There will be a lot of false positive when making an anti-cheat. If you focus on making an anti-cheat so much, you will ignore that mechanics you want to add to your game.
Any client-side check can be bypassed no matter what. Maybe add some sanity checks in your remotes to see if what the player is firing is even possible in your game. Also add fake remotes like GetAdmin and if you fire that it will ban the player because it would only be fired by a hacker
This doesn’t matter. A “perfect” anti-exploit is never going to exist, because the client will always be able to delete and edit things, regardless of what you do. Also, this won’t work at all in the first place, as you assume they’ll just be deleting scripts. They don’t need to delete scripts, and many exploits have the ability to disable connections entirely, making your method of checking when the child is removed pointless because they can disable it and then remove the script.
This won’t work at all (if the exploiter is smart). It’s more complicated.
You need to make detectors for different exploits like speed, teleporting, no-clipping, etc. For things that cause a faster change in position (like speed and teleporting) every second, you should check and make sure all the players’ characters are moving at around the set WalkSpeed. For things like no-clipping, you can create a Region3 around the character, and detect if an object is inside of it.
edit:
@ScriptedSuper , this won’t work at all. If the client is adding or removing a script, the script will not replicate to the server. Therefore, this won’t work either.
Don’t ever have any thing like money handling or inventory handling on the client. Never give the client access to a system you want strictly on the server.
Mostly, you won’t be able to prevent them from exploiting the game. The best you can do is secure all of your remotes, and make an anti-exploit that prevents them from going faster than the game allows them (e.g checking the distance moved within a certain time frame, if they jumped several times while never touching the ground, or as maturegotit said earlier, using region3 to prevent noclipping). A server side anti-exploit will only work against stuff that updates to the server, and you really can’t do anything other than that.
You can try to use the Stats service, and check for any spikes from the client which would likely be from injection, but that’s not a 100% method since anything can cause memory spikes.
Okay. Let me explain all you can do to defend against exploiters in your game. Other than that, there’s nothing else you can do to defend against exploiters. Some of these must be done on the client which is also vulnerable to just being deleted or changed.
Use sanity checks on events, such as checking for how fast remotes are being fired to the server. If remotes are being fired too fast, you can kick the player if you want. If the value in an argument the exploiter fired with the remote is really big or suspicious. But these are just remote sanity checks.
(RISKY, CAN RESULT IN MANY PLAYERS GETTING KICKED FALSELY) You can do memory spike checks on the client which detects how big a memory spike is. If you want, you can do something to detect memory spikes which are big and you can kick the player for that. This is just for synapse and other injectors.
(VULNERABLE TO BEING DELETED) You can have a localscript placed in StarterCharacterScripts which would check if the Humanoid of a character changes, such as the WalkSpeed property being changed or even the JumpPower being changed. This script can also check if something gets added to a character, such as a hat which isn’t supposed to be there if you want the script to do that.
(VULNERABLE TO BEING DELETED/EDITED) You can have a localscript placed inside of StarterPlayerScripts which would check if anything gets added to the player than the things the player already has in them, such as a new Gui getting added into LocalPlayer.PlayerGui or even a new script getting added/removed into LocalPlayer.PlayerScripts.
In conclusion: Games are always going to be exploitable unless ROBLOX deploys a patch for script injectors. You will never have a perfectly safe game from exploiters.