How to use remotevent safely?

SaveEvent.OnServerEvent:Connect(function(plr, saveNo, subject, image)
	if plr.Name == tostring(Values.Owner.Value) then

I made a feature to send remotevent when I pressed the save button on the local gui,
get it on the server, and store it in the datastore.
However, it is not secure.

Since player data is transferred locally, it is possible for hackers to arbitrarily transfer other players’ data. This could overwrite other players’ save data.

So, I would like to create a feature to make sure that when I receive a remotevent, the data sent by that player is correct. But the problem is that I can’t come up with an idea. Please help…

1 Like

You could attempt to run a sanity check on one of the variables inside of the server script in attempts to validate it and prioritise trust from the server script instead of the local script

3 Likes

never change values on the client, and then pass that to the server, because anyone can change on the client

dont leave a remoteEvent without sanity checks
(i replied to the wrong person)

4 Likes

Then how can I make it safety?

there is no way to make a remoteevent safe, your only way to secure them from exploiters is by adding alot of sanity checks, and stop passing values that were changed from the client

1 Like

Well for a script that saves by pressing the gui button, what can I check on the server?

never trust the client. you can do all the checking on the server, and only handle the button on the client

Verify results on the client as the first step to avoid unnecessary fires, so whenever something happens, you fire to the server.
On the Server, you run the same check, and just like the client, you will ignore the request if it does not meet the requirements.
If it does on both ends, execute your code.

Trust the client in checking for values, but check the clients validity using the server, like you do when you are verifying sources for an essay. (maybe not the best example, but dunno I’m dumb)

if i understood you correctly what’s the point of going the extra mile when you can just directly check on the server unless you want to catch people redhanded

It will typically avoids contacting the server whenever something is not need to prevent any unnecessary calls.

But not everyone does that, in which majority of cases this will remain true, and act as a safety net for unnecessary calls, in the cases that it is a false positive (ie: someone is messing with the values), the server will be there to prevent it.

It’s like if you (the client) send in a quiz after you finished it, prior you are checking the answers and making sure you get everything correct. And after, the teacher (the server) will have to verify that result.
You don’t turn it in unfinished, but the teacher needs to verify what you said to make sure to give you a good grade. (Which here, is whatever the server is going to do)
(Again, maybe not the best example, but my brain is running at 1 FPS ATM)

1 Like