So i was just reading about HttpService in general (but mostly for a server region detector (here)). I read about that you cannot use HttpService:GetAsync() on the client due to performance reasons but also because you are exposing info on the client to the URL link, posing a security risk.
Because Roblox studio local playtest (not teamtest) runs the server locally on your computer, any serversided Http requests will come from your computer similar to if it was client sided. Is this safe at all? The warning that comes from enabling HttpService only mentions third party attacks to the experience, but does not say anything about local playtesting.
You cannot use it on the client for safety reasons.
It’s safe if you send requests to safe sites. The worst a site can do is grab your IP, but they can’t tell who it belongs to.
A malicious plugin could send your Roblox UserId to a malicious site that then grabs your IP, but you would know about this. You need to give permission to plugins before they can make requests to a specific site.
Hi, I’m the original poster whom you just mentioned.
Just like @avodey mentioned, this is due to safety reasons alone.
Similar to how exploits work, by importing a plugin/library/framework from an unknown source, any http requests other than the game connectors will be disabled by default.
This is also the one of the reasons, why no http requests can be made from the client.
And basically no link is technically harmful unless your importing something from it, now in these APIs, you usually retrieve a JSON data.
JSON is limited to text-only, it has no true functionality.
Now you would usually read the data u want to read for, lets say server location, you would read the data for accessing this only. So it means you wouldn’t actually have any harm, even if you get another data, simply the function fails because you don’t have the required location data.
Moreover, the reason you see your location while testing is due to your device being the local-server while testing, in actual, the server is always a server assigned by Roblox which is based on first-join player and usually other factors (ex availability).