How to make Remotes Exploit Proof

LeMustache1 · July 10, 2020, 9:03pm

Exploiters can fire remote events there is nothing we can do about that. I have made some research about this to make the Remotes Exploit proof. People are talking about checking from the server if the client is allowed to fire the remote server etc. How can I make the remotes exploit proof?

Coder_1 · July 10, 2020, 9:15pm

Make a maximum amount of times an event can be fired or a rate of firing and check who is firing it the rate and player:Kick() them

Anthonychi · July 10, 2020, 9:23pm

If you were using remotes for in-game purchases with in-game currency, you could protect your remotes by putting an if statement

just an example

RemoteEvent.OnServerEvent:Connect(function(player)
	if player.Cash.Value >= cashrequired then
		-- stuff
	end
end)

sz_s · July 10, 2020, 9:23pm

This is a very generic question, but in general you want to verify the player who invoked the remote is allowed to. You may also want to limit the remote rate using a leaky bucket approach.

Scepter_ofDarkness · July 10, 2020, 9:59pm

“Sanity Checks” are the main way to go about this. That is basically checking if the client has permission, or a reason to fire the remote event.
Depending on your remote event there are many ways to go about doing this.
I would recommend to check if it makes sense. If a remote event to switch the song is fired, then make sure the player has the gamepass!
If the remote is for a shop system, make sure the player has enough cash and has paid (so take away their cash and give them the item in the same remote event).
If the remote is for a tool, for this example a click event for a sword, you need to check that enough time has elapsed between each activation. So instead of just having the cooldown on the client, also have one on the server. If you’re feeling angry you can ban the player if he activates the remote event faster than the supposed cooldown >:)

TL;DR make sure that the player who fired the remote event did so legally.

P.S. Never trust the client. They can alter your code

Monsieur_Joe2 · July 31, 2023, 1:56am

i know this was 3 years ago but i cant think of any way to use a sanity check on a give money remote event

bt6k · July 31, 2023, 2:01am

The Client should not be sending any information that affects anything server wise. Sure, they can affect their own character, etc… but this should never be the case when writing information to the Server.

The server should always run what it is meant to run. It should not depend on anything from the client. If there are any remotes like that happening, they should be rewritten into a Server dependent communication method.