Improve RemoteEvent Security

I want RemoteEvent’s to be more secure, for example with the .OnServerEvent:Connect(function() event the first argument is player so why not make a second argument called script. This would mean that we could tell what local script instance called :FireServer() on our remote and if that local script was client created probably by an exploit it would be nil for the server.

1 Like

I don’t get your goal. You should focus on securing your remotes by implementing sanity checks and such rather than applying a bandaid over poor remote communication. By the way, an exploiter can see arguments passed through RemoteEvent::FireServer (and RemoteFunction::InvokeServer), so they can easily just pass the script you expect like nothing happened.

By the way your posts seems to be in the tone of a feature request - you seem to want Roblox engineers to add a default script parameter. #help-and-feedback is not the place for that. You can do that in #platform-feedback. For this specific case, #platform-feedback:engine-features.


Don’t listen to me. Read below for why. VV Too tired for this right now haha.

If the instance is created locally then server cannot see it. For instance if OP were to do remote_event:FireServer(script) where script was some script in PlayerScripts, the server would see nil since the PlayerScripts folder is created on the client. The reverse can happen too - if server sends a reference to some object in ServerScriptService or ServerStorage, client would see nil since the contents of those services are inaccessible to clients.

1 Like

Try adding a key to your remote event for extra security.

I do but people can decompile my local scripts and get my remote key.

Decompiling won’t even be required to view the key. It is as simple as them bringing up a remote spy to see the arguments being sent over.

Decompile? Like view your scripts? Didn’t know that was possible.

Can exploiters see what the arguments are? Or what the argument names are?

They can definitely see the arguments. Not too sure what you mean by argument name though.

If roblox had a 2nd required argument like they did player but it’s the actual script instance that called :FireServer() on the remote then the server script that gets the .OnServerEvent:Connect(function(Player,Script) can check if the script that called :FireServer() on the remote was one of your own local scripts and not some exploit.

For backwards compatibility reasons and because of how replication works this is not feasible. Say you have a local script in PlayerScripts, the server couldn’t see it. And by the way the script would have to be sent by the client which could easily be spoofed. The player argument can’t be, though, luckily

The suggested feature is just not possible at all, replication issues aside. You can not verify a script sent over the network is the same script that actually did the operation in the client. The only reason the Player argument is guaranteed to be correct is because Roblox makes sure of that through the actual connection it has open to the client.


Why can’t the player instance be spoofed? I feel like they could do the same for script.

1 Like

oof thought it could be possible guess not.