How to securely use ModuleScript in client and server?

I would like to securely achieve client and serverside usage of a ModuleScript that returns a table with methods (basically a Lua class).

Currently, I have a ModuleScript that needs to be used by the server and client (it acts as a physics manager for a vehicle). However, I would like to privatize my code as much as possible. I am afraid that exploiters can easily find my code.

I have tried to locate the ModuleScript in the ReplicatedStorage, so that both the client and server have access to it. This is not really a solution to my problem, since exploiters can access the ReplicatedStorage as any client can.


If the client can access it, it can be copied. You could try to obfuscate your code but if your game eventually gets big, it can still be unobfuscated. It also is performance intensive.

Why would you want to privatise it anyways? No one is probably going to copy your code — sorry but that’s the truth. And if you think exploiters being able to read module scripts can enable them to exploit then you’ve done something wrong. Major changes should have checks on the server and the server only should carry it out.


You can’t really protect any clientside stuff from getting leaked. Just don’t get too attached to it and try to handle things on serverside.

1 Like

I agree, that no one wants my code lol. It is just a question that I thought was interesting to think about.

ModuleScripts really aren’t meant to act as a bridge between Client and Server, (I was under that impression for a while too). When you call require on a ModuleScript,

“ModuleScripts run once and only once per Lua environment”
–ModuleScript Documentation

What this means is that for the server there exists a copy of the module’s contents and for every client there exists a copy of the module’s contents - and theses “copies” are different references.

You can use ModuleScripts to create a bridge between server and clients quite neatly although. For example, a ModuleScript might exist somewhere local to each client (StarterPlayerGui, StarterPlayerScripts, etc) which contains functions that can be called that then invoke the server either through a RemoteEvent or a RemoteFunction. The functions that handle these events and invokes can then exist in one or more Scripts or ModuleScripts located in ServerScriptService (not replicated to clients) such that any implementation details of your code would not be accessible to any exploiter unless they had access to the server somehow (but as @PeterShall22 said, this isn’t really a huge concern as your implementation should involves steps and checks to prevent any sort of mal-use by clients).


Hahaha, alright. You used to be able to use loadstring() for private modules but that doesn’t exist anymore so.

I believe it still exists but it is disabled by default or something.

Nope, ROBLOX dropped support for it as it was used for backdoors.