Is it safe to use a key to secure remote events?

is it safe to use a key to secure remote events?

-- Client
local ReplicatedStorage = game:GetService('ReplicatedStorage')
local Players = game:GetService('Players')

local KickPlayer = ReplicatedStorage.Events.KickPlayer
local clientKey = 'y3h26gdy972h9'

KickPlayer:FireServer(clientKey, Players['Player1'])

-- Server
local ReplicatedStorage = game:GetService('ReplicatedStorage')

local KickPlayer = ReplicatedStorage.Events.KickPlayer
local serverKey = 'y3h26gdy972h9'

killPlayer.OnServerEvent:Connect(function(player, clientKey, playerToKick)
    if clientKey == serverKey then
        playerToKick:Kick()
    end
end)
1 Like

No? How do you expect that to do anything. This is horrible code, I mean, you do realize exploiters have unlimited access to the client?? They could just fire that remote event with no checks on the server and kick everyone!! ALWAYS PUT CHECKS ON THE SERVER.

2 Likes

That is VERY bad. Anyone has access to the client, so they can see the key. If you want only certain people to get access to kicking people, use a table on the server and check on the server whenever it is fired.

2 Likes

No, a exploiter could read the local script and fire the remote with the key which was inside the script.

Instead you can check if the player has permission to kick the player on the server.

-- Server
local ReplicatedStorage = game:GetService('ReplicatedStorage')

local KickPlayer = ReplicatedStorage.Events.KickPlayer

local admins = {
    game.CreatorId
}

KickPlayer.OnServerEvent:Connect(function(player, playerToKick)
    if table.find(admins, player.UserId) then
        playerToKick:Kick()
    end
end)
2 Likes

Can the player see local script source?

YES!! Anyone can see their client, how else would the scripts work??

1 Like

Not by default, you need external sources to see the actual code. But exploiters can, since they use external sources that read the code.

1 Like

Exploiters can read your codes if they decompiled your localscript and get the key or they could use a remote spy and when you fired the remote, they will receive the event and use it to kick anyone in your game.

1 Like

The key would catch some exploiters if they do fire RemoteEvents themselves, but kicking them isn’t going to affect them, since they’ll reconnect.

Exploiters have access to localscripts, so they can read the key. You’re pretty much firing a normal RemoteEvent with extra steps (the key), so it won’t do anything except catching exploiters off-guard as mentioned beforehand.

The best way to secure a connection is to do ALL important checks on the server - you never trust the client. If you’re making this so a few people have access to kicking, create a table, and check if the player’s on it.

3 Likes

I think you’re a bit confused about the Server/Client model, so I recommend looking at these sources: Game Security, Bindable Events and Functions | Roblox Creator Documentation and Exploiting Explained.

4 Likes