So recently I have found that many big experiences on roblox that had a 500-2000 average player count had issues with exploiters most of the time this is caused by free models or because of the server not validating data sent from the client and today I will be explaining why you should validate data on the server instead of the client.
1. What is client and server?
When creating software or experience on roblox or anything in general you will need to send data from the client to the server and have them communicate with each other.
2. Why should I validate data on the server instead of the client?
Because everything done on the client can be exploited and when it comes to the server only you have access to it the client can only send data to the server it can’t modify the behavior of the server
3. What are the advantages of validating data on the server?
Here is an example of how the server should validate data sent from the client
→ Client sends the server an item name that the player wants to purchase
→ Server checks the type of the item name sent from the client if it’s not String then the client is trying to temper with the server
→ Server checks if item data exists if it does then it checks if the player has enough balance to purchase the item
→ Server updates player balance and gives the player an item
Now if we didn’t validate any data on the server this is how it would look like
→ Client checks if the player has enough money to purchase the item
→ Client sends the server an item name that the player wants to purchase
→ Server gives the player an item
Now the issue with this is since we are not doing any actual checks on the server exploiter can just tell the server “Hey, I want to buy this item” and the server will just give the exploiter an item because there weren’t any actual checks on the server.
4. Why make this topic everyone already knows to never trust clients don’t they? (Well… you are wrong)
one of the experiences on the Roblox didn’t had proper checks on the Server for example in their experience there was a remote called “DeleteScooterEvent” and the Client would send a Server a scooter model and the server would just delete it but the issue with that was server didn’t have any checks so exploiters could delete an entire map, kill all the players, etc and I’m hoping this thread will give people a general idea on why it is important to validate data on the server and not the client.
Here is a good example of how data should’ve been validated on the server
Spawning the scooter
→ Client sends the server a scooter name to spawn
→ Server checks the type of the scooter name sent from the client if it’s not a string then the client is trying to temper with the server
→ Server checks if the scooter name sent from the player exists in the game
→ Server spawns scooter and gives it a unique identifier such as player name, or user-id
Deleting the scooter
→ The client sends the server a message asking the server for a scooter name or model
→ Server checks the type of the data sent from the client (if it is a model then we check if the type is an instance if it is a name then we check if it is a string)
→ Server checks if the given scooter sent from the client exists and belongs to the player
→ Server deletes the scooter
5. fun fact: did you know if you don’t know properly validate data on the server exploiters can dupe your experience by sending invalid types to the server? This is because roblox datastores have limits and if the server doesn’t properly validate data sent from the client the data saving can be corrupted for not following roblox datastore limits
Some scripts on purpose try hiding vulnerabilities in their scripts so they can be abused later on (you can see the example below)
You might think oh look the server is checking if the car exists if so it deletes the car right?
Well… you are kind of wrong because the “Car” is sent from the client meaning the player can send any part and the server will treat it as a “car” and delete it.
Do You know how in some survival games exploiters make script to give themself infinite stamina or infinite bag space? Well, you can also patch that easily by validating data properly on the server.
Here is an example of how you could patch “infinite stamina” exploits
→ Client asks the server to start sprinting
→ Server checks if the player has enough stamina to sprint
→ Server handles updating players’ stamina
Here is an example of how you could patch “infinite bag space” exploits
→ Client asks the server to take an item
→ Server checks the type of an item if it’s not the String then the client is trying to temper with the server
→ Server checks players’ bag capacity value
→ Server updates players’ bag capacity value
Do You know how exploiters sometimes modify the stats of the weapons give themself infinite ammo, and make guns one-shot? Guess what that can be fixed too with the server checks.
→ Client sends the server a table of the projectile (containing data like their remaining ammo, the name of the projectile, etc)
→ Server checks if the type of the weapon/projectile name is a Table if not so then the client is trying to temper with the server
→ Server checks if an item exists
→ Server Gets the data of the item and compares it to the data sent from the client if the ammo is more than max ammo then the client is trying to temper with the server
You can also patch hitbox expanders / kill aura by checking the hitbox on the server and adding distance checks.
You can see more articles about how client and server communication work below (I would linked one of official roblox’s examples but could not find it 
Security Tactics and Cheat Mitigation | Documentation - Roblox Creator Hub (thanks to @Userunmanned for providing the link)
I hope this thread helps roblox developers securing their experiences 
