So recently, I realized a major flaw in my gun system. The client scripts only job is to see where the mouse is pressed and sends that to the server (which handles the shooting part). Currently, my client just sends over a Vector3 of where it hit, but theoretically, nothing stops an exploiter from sending a Vector3 of the closest character.
I’m not sure if (let alone how) I can filter this out/prevent this on the server side.
How can I prevent this?
I might have overseen some simple fix/counter, so please let me know, anything helps!
One. Cooldowns, have a set cooldown for the remote event.
Second. Raycasting. If you can raycast from the Muzzle to the player direction, and there’s something in front of it, you can just shoot there, instead of the character.
Third. Make sure to add sanity checks. (Essentially You can trust the client, but do not give it permissions that it could abuse.
Alright, this would work great for a normal actual gun, but in my case, the gun just sends 3 randomized bricks (color & size) and just launches them in the given vectors direction. If it hits someone, nothing happens except they might get pushed, as the point of the game is to fling/push off your opponents.
I might have cooldowns, but it still doesn’t stop them from just sending false vectors.
Always a good rule of thumb for the client, but can you give me some ideas of some I can implement in here?
Have the local script send some additional value which is expected by the server script (a bool value for instance), something an exploiter wouldn’t know about. If the OnServerEvent doesn’t receive this value then you can simply ignore the FireServer() request.