Greetings,
I am just wondering, if there is any point, and is it even a good idea, to connect as many scripts as possible to server storage/script service to prevent exploits and asset stealing, such as ui scripts?
Thanks for your time
I would say you’ll get to a point where you will need to use scripts outside of ServerScriptService and ServerStorage. I always have one localScript that controls client sided scripts like UI interactions, Events, etc. So keep as many things as possible away from the client, also for extra protection when using events make sure to have checks, like do they have enough money? Do they own this item? Hope this helps have a good day!
It doesn’t really matter to me.
I use whatever necessary, I don’t care much about exploits, because most of the scripts on the server handle authentication, and make sure it’s getting correct data.
Your choice though.
1 Like
well obviously there would have to be a local script requesting the server for whatever is supposed to happen with the ui, i’m just wondering if there is any point to it, and might it cause lag in using the uis
me neither but my team is worried so i’m looking into it. Their main concern is stealing scripts to quickly make a clone game with the stolen assets
There is no reason to handle the GUI on the server. Only that client can see their own gui, so it doesn’t matter if they hack the gui and change it. The only thing that is important to handle on the server is things that will affect everyone like stats. Especially because even if you handle the GUI on the server, the client can still change it by inserting a local script so it doesn’t really protect anything.
Then refrain from leaking too much data in client scripts.
Client cannot see server scripts, they can only see client scripts.
Basically, there’s a “firewall” preventing clients from accessing server-type data.
Let’s say, the client cloned a tool into their inventory from Lighting, only they would see it, not anyone else in the server.
However, this can always be bypassed, people are using glitches or hats to make it seem that FE is not doing anything, and is doing crazy stuff like
https://gyazo.com/71d6cdd67e7cf74d798fc3078b1a80cb (Yes I recorded that.)
the goal would be to protect the scripts from being downloaded and then reused by those who stole them for their own gui, i know it sounds kinda silly, like i said my team is worried and they have their reasons
You can’t escape having your client scripts downloaded, but you can prevent it.
Just have something like a dex-explorer detector, or memory recorder that tracks the client’s memory usage in order to detect exploits (Exploits generally create a private thread within the game, “injecting” it, and then running code which takes up more memory).
i see well thank you i guess i’ll look into that when the game is close to release
If you try to push everything in SS/SSS, your server will suffer from the overload. LocalScripts, however, is more responsible for client-sided input, controls, visuals, etc.
Why should one worry about stealing when DMCA strikes are real?
1 Like
I think the hard part about that Operatik is some people edit and configure games and it’s quite evident to games in Roblox
1 Like
I’m pretty sure a server can’t suffer from overload because scripts don’t take that much resources on a computer unless it’s doing something that would require a lot of resources.
Second, scripts are smaller than KB. It’s literally mostly just text files but converted to Lua.
@Clarkonp
Editing beyond recognition is… quite an interesting detail. There’s a line to draw whether DMCA is valid against them.
@Obj_ective
Not always true. The overload they suffer from is the loops they have to go through when it comes to client running something that requires looping with near-perfect visual replication. However, you can still leave certain scripts that is required for the server to execute what the client script has to do. That’s the difference that sets them apart if the script requires client-server communication.
1 Like
All server scripts should go in SSS(no exceptions but RPS(ReplicatedScriptService)) because they can’t be seen and it’s the container scripts are designed for. Anything that the client should be able to access(Local Scripts, models, etc) should go in the Replicated Services(ReplicatedStorage, ReplicatedFirst, etc).
You shouldn’t sacrifice simplicity and production value over someone trying to steal your things. In addition, whats the point of putting things in SS or SSS when they’re going to be seen anyway? If the person tried to steal your game, they would still have to figure out what you did in your sever scripts, because if you put them in SSS(the correct container), they will have no idea what’s in them.
The only things you should put in SS or SSS are things that the client will never see, otherwise, there isn’t a point of doing so.
TL; DR
Put only things the client will never see in SS or SSS, otherwise it wouldn’t be a really good idea as it’s going to be significantly harder to manipulate and access when you need it client side.
2 Likes
well other than putting local scripts inside their respective guis in starer gui i try to live by what you said in your post. I’ve shown this thread to my team and it seems their concerns have been somewhat alleviated
Ayo. LocalScripts dont work in the server lol. Its dependant on the context. Meaning if you were to try and code a UI from a Server you’d get no response or update.
Learning the Server/Client model is key if you’re going to handle exploits.
However, Keep in mind that what you give is what they get. They cant get stuff if its in server storage. Simply if they’re an admin. Clone the gui into their character and let it run.
Just use ReplicatedStorage for anything the client side (the player) will see in game, or remote events, and ServerStorage for things only the server ever uses.
you seem to missunderstand. if i were to run ui from ss or sss i’d obviously have a local script in the ui that would request stuff from ss or sss via remote event, which is perfectly doable my question was if there was a point to this
Most games connect to events given by the server. So yeah there is a point to this. But if its to the server then make sure to solidate and proof the client request