Is it safe to return info from the server to a local script using a module?

FEARLESS_AM0S · December 25, 2021, 9:12pm

Is it safe to take information from server services (for example, values from server storage) using a module script that will return the table to a local script?
This is part of code from module script in Replicated Storage

local DataFolder = game:GetService("ServerStorage").PlayersData
function module.GetOptions(plr)
	local options = {}
	for i,v in pairs(DataFolder:FindFirstChild(plr).Options:GetChildren()) do
		local a = {[v.Name] = v.Value}
		table.insert(options,a)
	end
	return options
end

dthecoolest · December 25, 2021, 11:14pm

And

The local script will not be able to access server storage. Unless the information is passed through remote events.

Try it out.

thyswedishviking · December 25, 2021, 11:37pm

That would be unsafe to transfer data through a remote event because hackers can change that data and or view it.

dthecoolest · December 25, 2021, 11:49pm

No it would not be unsafe in this scenario, this is because the data needs to be transferred to a local script which a local script will need and not kept a secret on the server implied by this quote.

In this case it’s PlayerOption data. If an exploiter changes it and views it it would only be for the exploiter and not anyone else due to filtering enabled. Unless you also intentionally bypass it with another remote event which introduces a vulnerability.

I mean how else are you going to transfer information to the client in a way hackers cannot tamper with it?

thyswedishviking · December 25, 2021, 11:51pm

Mb I thought it was the other way around, anyways thanks for correcting me.

MP3Face · December 26, 2021, 1:43am

This is part of code from module script in Replicated Storage

You’re replicating this modulescript to the client if it’s held in ReplicatedStorage, so whatever info is held in it is not hidden from players. You could hide it by putting this modulescript in ServerScriptService and have another (also in ServerScriptService to hide it as well) server-sided script handle remote event communication with the client. Say, client fires an event asking for info, the script that require()'s the modulescript grabs it from module, then fires it back to the client. The middleman script won’t expose any data the player shouldn’t see.

FEARLESS_AM0S · December 26, 2021, 9:21am

I felt that I did something stupid, because I did not even check how work of these scripts.
In any case, thanks for clarifying my problem.