I have a tool with a LocalScript inside of it and when the tool is activated, the LocalScript sends a RemoteEvent to the server and the server will reward the player with cash. However, I have heard some people say this isn’t entirely safe. If it isn’t safe what else should I do? Do I just need some extra checks on the server before rewarding the player cash?
Yes, you need to check the validity of the request on the server side, or else a bad actor could potentially fire your remote event at any time and reward himself with cash.
1 Like
So I could check if the player has a debounce folder and then reward them cash from the server and if that debounce folder isn’t there then it will reject the request?
It’s best not to rely on the client for important information like money. You should see if you can detect when the client should get money on the server, and if you can’t, you should perform some type of validation on the server to make sure the request is valid (like @BitLang said).
1 Like
So I could do this from the server?
Sure, if that’s how it works - I don’t know what kind of code is in your game. Just make sure that the requirement to get money is checked on the server side, and that you do not leave it to the client. You should always be assuming that anyone can fire any remote event at any time - be vigilant.
1 Like