Is this RemoteEvent/RemoteFunction security method safe enough against exploiters?

Hello everyone! :wave::slightly_smiling_face:
So I just finished a, in my eyes, flawless way to secure my RemoteEvents and RemoteFunctions, but since I’m not a PROgrammer, I’d like to have my code judged if it would be effective against exploiters.
The way I’m using to secure my RemoteEvents and RemoteFunctions, is by key and reason communication. It would work like this:

  1. When a RemoteEvent or RemoteFunction has to be fired or invoked, the client first has to get a key by one certain RemoteFunction. What’s important is that a reason has to be provided, or else the RemoteFunction won’t return a key. Keys are generated by HttpService:GenerateGUID.

  2. Next is that the client can now fire the RemoteEvent or RemoteFunction, including the key and the reason. The server will receive the parameters send with the event or invoke and will once again check by a completely server-sided invoke if there is a key existing with the provided reason. If true, the event or invoke is accepted. If false, the event or invoke is denied and the player will get kicked from the game.

For safety reasons, I won’t provide any code.

so your amazing system is to ask politely to send a request?
whats stopping people from also asking this magical reason thing
or accessing the memory in which the key is stored
and why are you kicking them?

The best possible approach I can give in short,
you’re making it somewhat harder, yes.

But never trust the client, always trust the server. The client is accessible. The server is not.

Work on the basis of data transfers this way:
server → client,
never client → server. I mean, some data would have to come from the client, like a user fires a gun, you the server validates the info & deals with it accordingly. (implement sanity checks, etc)

But validate every use-case scenario. (see: Security Tactics and Cheat Mitigation | Documentation - Roblox Creator Hub)

The issue with your method is it is possible to ‘spy’ on remotes and return the data sent to & from, i.e. even though the key is generated using HttpService possibly per server, it is still possible to obtain via this way.

You could implement stuff like RbxSignals (see: Signal | RbxUtil (sleitnick.github.io)

You could possibly look into networking libraries / modules.

But generally, this isn’t safe & as secure as you’d think.

1 Like