HttpService is a wonderful, wonderful tool. I use it to log who has visited my game, what people have chatted in my game, to look up usernames based on userIds, and other things. It’s incredibly helpful. But, one thing that has worried me a little bit is that there seems to be no way for the requested page to tell where the request came from. If someone steals your script, or figures out how to format the request the right way, or even just puts in knowingly incorrect data, there’s no way to tell for sure.
Say I had a page that would log who had been awarded what badges. I format it with one parameter for the game ID, one parameter for the badge ID, and one parameter for the user ID. I put it as a free model so that other people can use it to track awarded badges. Joe does it properly for his sword fight game, it works great. Bob does it properly for his obby, it works great. John runs the following code…
for q = 1, 1234567890 do for w = 1, 1234567890 do wait(1) game.HttpService:PostAsync(mypageurl, "gameid=" .. q .. "&badgeid=" .. w .. "&userid=" .. math.random(1, 50000000)) end end
Suddenly you can’t tell what is real data and what is spam.
I know that using passwords makes this less of a problem, but Robloxians are a crafty, exploity bunch.
So, I would like there to be some variable that it sends that cannot be altered, that provides proof of where the script comes from, so that there is far less chance of false data like that. Either the game’s PlaceId or CreatorId would work well for the value of it, or both, though you could get the creator’s ID from the place ID with just a little bit of extra page reading in PHP.