How to protect Remote Events when using an 'admin command bar'

I’ve been reading about securing remote events and the key point which pops up again and again is "never trust the client. Always validate."

For the majority of my games I’ve been applying this logic, alongside a ‘password system’. For my newer projects I’ve stopped using a ‘password’ verification system as I understand now that they can always be overcome, take time to make and can disrupt code.

Here’s the thing:
If you are making a ‘command bar’ for an admin commands script, where the client submits commands, for example through a gui, how do you go about verifying the player is the correct player executing the commands?

In the past, I’ve always used the ‘password’ system to protect against this, but now I want a more reliable way to verify the player executing the command is the correct player. For example, an exploiter could fire to one of the remote events requesting to ‘kill all’, using a player who has the permission to execute that command as their first argument.

Any thoughts?


1 Like

I would recommend checking the UserId of the player firing the remote. Do this on the server before actually executing the command.

This would be very secure, because exploiters can’t change the player argument.


This can’t be done, the player argument passed as the first argument to your OnServerInvoke function of the remote event will only ever be the player of the client that fired the remote event. You can simply check that this player is allowed to request a kill all command. If an exploit that allowed players to impersonate other players over the network was discovered it would be patched very quickly by Roblox as it would be a serious security risk.


@Coeptus @TheGamer101 Oh okay, thanks! I always had the assumption that the player argument could be changed. This will make things easier then :slightly_smiling_face: