Is it safe to fire events from the Client to the Server and vica versa?

MrSheriff_RBLX · August 24, 2024, 8:25pm

I think the title says it all, is it safe to fire events from the Client to the Server and vica versa?

If not, how would I secure it?

12345koip · August 24, 2024, 8:33pm

I’m assuming you mean remotes, right? There’s no others you can fire between client and server.

It’s safe to fire remotes from the server to the client because you can fully control what data is sent. Unless some of that data originally comes from the client.

Exploiters can use tools like RemoteSpy to detect when your remotes are fired and what data is passed. They can fire remotes themselves by injecting code. They can do anything to them your scripts can.

You only need to secure remotes on the server. You should implement things like:

Typechecking any parameters (not the player parameter because they can’t control that)
Validating any data sent, making sure it is appropriate (for example, a number being within a specific range)
Denial of Service/Distributed Denial of Service Attack prevention
Any other data checks necessary

Here’s an example of a secure remote:

--number ranges
local NUM_MIN = 10
local NUM_MAX = 20

--holds information about players firing remotes
local cooldowns = {}

local function cooldownAsync(player: Player)
    cooldowns[player.Name] = true
    task.wait(1)
    cooldowns[player.Name] = nil
end

local function onServerEvent(player: Player, value: number, cframe: CFrame)
    --typechecking (you could kick here but I chose to make it return)
    if type(value) ~= "number" then return nil end
    if typeof(cframe) ~= "CFrame" then return nil end

    --cooldown checking
    if cooldowns[player.Name] then
        player:Kick("You were kicked for spamming a remote.")
    end

    --check the number
    if value < NUM_MIN or value > NUM_MAX then
        player:Kick("You passed an invalid value through the remote.")
    end

    --cooldown the player (I chose to run the cooldown asynchronously here)
    task.spawn(cooldownAsync, player)
end

RemoteEvent.OnServerEvent:Connect(onServerEvent)

MrSheriff_RBLX · August 24, 2024, 8:44pm

I’m trying to fire events to the client, but not sure if they originally come from the client. I’m trying to fire an event on MouseClick of the ClickDetector, and do some PlayerGui changes.

Is that safe?

12345koip · August 24, 2024, 8:45pm

If it comes from the MouseClick, it should be safe. The only unsafe data is data exploiters can mess with.

system · September 7, 2024, 8:45pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.