I wouldn’t suggest using a password to secure your remotes. If you store the password on the client any exploiter can easily see this value. If you want your remotes to be secure just make sure the server does all of the work.
Generally only user input or actions should be sent to the server. You shouldn’t give the client the ability to do anything even if you believe it’s secure because security like this will ONLY slow the exploiter down with no extra benefit.
Anything you can do in your localscripts an exploiter can also do.
An exploiter can view anything that is on the client, as well as anything visible to the client (Workspace, ReplicatedStorage, etc…)
They cannot see services that are only accessed via the server however. This includes ServerScriptService, ServerStorage, etc…
The exploiter can view the source code of your modules (that are in a service view-able by the client) as well as your localscripts. As I stated above.
Passwords for admin events are extremely insecure and will result in your events being abused!
#1 rule about developing a game is never trust the clients input, always sanitize and check input if you have to take client input. This is was a major problem in Phantom Forces, In fact I’m currently working with the developers in StyLiS on sanitizing and removing trust that did and could potentially cause problems.
A Exploiter can use a Remote Spy, it can see any remote that’s being fired and the variables that are going through, therefore the Security Key.
I’ve tried this before in my previous games and it didn’t take long for an Exploiter to figure out my Security Keys and get around them. Since then, I’ve moved to strong server verification which makes it harder to Exploit, it is possible, but not by most.
I don’t know why you’re using a password when Roblox supplies you with a better security measure. NodeSupport already stated this, so I’ll just expand off his answer.
local admins = {
[22225270] = true; -- my id
[37177731] = true; -- maybe your id (too lazy to check)
[2] = true; -- even john doe himself
}
yourEvent.OnServerEvent:Connect(function(plr)
if admins[plr.UserId] then
print(plr, "is an admin")
else
print(plr, "is not an admin!")
end
end)
As far as I know, it’s pretty difficult if not impossible to spoof the Player argument, since the server has access to everyone’s IP addresses and most likely uses that.
Background: You can’t always trust the client to do the right thing and sanity checks are the easiest ways to secure your remotes mechanic wise. For example if someone’s 1000 studs away from another person doing melee damage, your server should be able to ignore that sort of call and possibly kick the person responsible depending on the circumstances. There are many theories on how to secure your game but by far just predicting possible problems may help you in the long run.
Answer: In this circumstance, having a table of “Admins” in the server script and ignoring anyone else who says the password may help you as others have demonstrated.
What you’re doing (a password for remotes) is a type of practice called “security through obscurity”. I’d argue that it’s not true security (blah blah blah someone’s going to retort grumble grumble). Ideally what you want to do is have your server do sanity checks and validations on its end when a remote is fired, rather than having the client send the server a “password”. This is not secure.
The ultimate goal in security should be to make your server as secure as possible with as little leverage points for exploited clients to take advantage of. And please do not bother trying to make the client secure, you aren’t going to get far with that. A client owns their device, they can do as they please with it.
Didn’t think about that one, could be a good one.
I’ve personally got a pretty good trap for the Exploiters that play my game…
I’ve set up fake remotes, that when are fired they ban the players - they are not used by anything.