What do you want to achieve? Keep it simple and clear!
I want to make a first person gun framework, but the shots to be handled on the server side
What is the issue? Include screenshots / videos if possible!
Every fps framework that I’ve seen/reverse engineered handles their bullets on the client side, and then firing a remote event to the server to damage the player, which is an extremely dangerous vulnerability
What solutions have you tried so far? Did you look for solutions on the Developer Hub?
I’ve tried looking on the internet but found nothing
Sorry for the late reply. Since your checks are on the server then the exploiters would not be able to touch it since they can only touch something client-sided.
Everything is possble, although the question is, why would you need it?
Every fps framework that I’ve seen/reverse engineered handles their bullets on the client side, and then firing a remote event to the server to damage the player, which is an extremely dangerous vulnerability
Are you sure that the frameworks handle all the bullet damage checks on client?
And even then, all the properly created gun systems, regardless of being FPS, TPS or OTS, would have bullet movement on client while having the server do all the checks - that is how it usually work.
It shall be understood that the most common scheme for gun framework functional is:
It makes no significant difference where you “handle bullets”, although there is a reason why client effects (such as bullet rays) are handled on client - that way it would not heavily affect the performance shall it be implemented properly.
I get your point and thank you very much for clarifying this to me.
While I was reading this, another question popped into my mind - what checks would I perform exactly on the server? Something like checking if the player’s LookVector is pointing towards the victim, or if there are any barriers between the shooter and the victim or is it something else?
Exactly. For example, you could use raycast functions to see whether there are no obstacles between a gun’s barrel/player and the target, whether both players and their characters are valid. Anything, really.
You could do the same checks on client, though, it is just the process of verifying whether the request made to the server is valid would be more complicated.
It shall be understood that game vulnerability comes out of the client → server event vulnerabilities as any LUA code injected by the exploiters can trigger such client → server events.
Most commonly the server would also perform a raycast of it’s own using the clients raycast’s hit position to use for a direction vector and checking for obstacles.
