How to stop hackers from firing remote events connected to local scripts?


I have a local script that does a bunch of camera tweening and gui effects.
It is basically trying to recreate the feeling of a video, instead done with camera tweening and guis.

This script should ONLY do stuff when people in the control booth click a play button, and should play for everyone in the server.

my thoughts are to have the script in starterGui or somewhere else appropriate, and get it to play using a server > all client remote event.

but then I remembered that a hacker can easily fire the remote event, as many times as they want, and then the video will play when it isn’t meant to.

Are there other alternatives to using remote events for this purpose (server to all clients), or is there some way that I can make it so that the remote event will not fire unless it is coming from the control booth screen?

note: the script for the video HAS to be a local script because it involves camera manipulation and gui related stuff.

It should be fine the way you have it then? Hackers can only fire remotes to the server, not to the client.

It sounds like you’re describing a RemoteEvent from a client triggering all other clients, which isn’t something that RemoteEvents can do. It would have to be Client → Server → All Clients. One client tells the server something, and the server fires the event for everyone. That’s where your security comes in. Let’s imagine a “bad” client trying to trigger the video from outside the booth.

Insecure method:
Bad Client: “Server, tell everyone to watch this.”
Server: (sends RemoteEvent to all clients) “Okay! Everyone, watch this!”
Bad Client: :laughing:

Secure method:
Bad Client: “Server, tell everyone to watch this.”
Server: (checks client’s location server-side) “Hold on a sec, you aren’t in the control booth. No can do.”

You can make the server do any checks you like, but as long as your security is server-side, exploiters can’t touch it.

1 Like

no, It is Server to Client.

there is a screen in the control booth with a play button.
It is connected to a server script to do colour changes and to detect when the button is clicked.

I want the play button to trigger an event in all clients.

Exploiters can only mess with their own LocalScripts. LocalScripts on other clients are “safe”, as are server scripts. So an exploiter can watch the video all they want, but unless they run it past the server, they can’t affect anyone else.

1 Like

I’m pretty sure it won’t do anything except for them. Read more about Game security, Exploiters can only play around with their own LocalScripts, They will never be able to do anything on a server unless there is an unprotected remote event which they are able to fire to.


The client cannot fire remote events to other clients, only the server, and the client cannot manipulate the server into firing a remote event unless it is built into your code.


so if I have a remote event in ReplicatedStorage - a server script fires the remote event to all clients when a button on a screen is pressed.

so if the hacker fires that remote, nothing will happen because they cannot fire to all clients?

in other words, the hackers cannot be like RemoteEvent:FireAllClients() ?

am I correct?

In that case, it seems like it’s client → server → all other clients. If you don’t want the client to be able to make the server fire an event to all the other clients, then don’t have that first link, a remote event that the client fires, the server receives, and then the server fires to all the other clients.

No, :FireClient and :FireAllClients can only be called from the server.

okay awesome. So I am safe in this case.

Sorry everyone thinks its client > server > client.
It is Server > client. The button is on a SurfaceGui in workspace, not on every players screen etc.
should have clarified.

The client has to tell the server they clicked their mouse on the button… anything that needs input from the player’s device cannot be server-sided.

Can the Exploiters change scripts in StarterPlayer.StarterPlayerScripts ?
or stop them with disabled = true type thing …

Exploiters can do anything to localscripts.

How so they can actually re-write the scripts?

Localscripts run on the client, so yes. They can also stop it’s execution without using .Disabled or :Destroy()ing it.

When they fire a hack to a remote can you tell the player that came from?
like beyond adding the name before the fire in the script.

The player argument sent automatically with :FireServer cannot be spoofed.

1 Like

Not looking to spoof anything looking for tracks/footprints?
What I’m asking is, is there a way to tell who set off the remote no matter what they did to do it?

The Player argument you get when you connect a function to a remote event.

    print(Player.Name) --can't be faked

Well if you get the player name you should be able to tell if they are hacking.