so you are basically telling me to only use client side to fire the event and then server to manage everything?
1 Like
Essentially that is the best way to secure a game. Trust nothing the client sends.
The client should really only be in charge of sending events or handling things specific to the player (like UI)
The server should manage everything important.
3 Likes
that is pretty smart idea to be honest i would really like to use it in my future games.
1 Like
This seems pretty pointless because you donāt actually gain anything from banning a (potential) exploiter messing around with your RemoteEvents.
To begin with, if your game logic is exploitable, then itās completely your fault for having a poor network model (barring local physics hacks like noclip or whatever); it simply shouldnāt be exploitable (or not to a degree that will affect anything important) if you are handling your network as well as you can (relatively easy to do for most gamesāitās things like shooters that rely highly on client input and feedback that are more complicated, but still accomplish able, to have a secure netowrk model)
Secondly, banning exploiters doesnāt really achieve anything, except wasting their time until they can get on another account or whatever. If anything though, you are wasting your own time more than youāre wasting theirs, by implementing things which will make no tangible benefit to your gameās security; instead, I think, it is better to devote your attention to make the network model more secure in the first place ā itās a very treatable disease, so focus your effort on the causes and not the symptoms.
ā¦
Actually in my opinion, itās pretty much a waste of time to ban exploiters at all, because if they care enough to download hacks and use them on their game, they probably care enough to spend a few minutes logging into a different account. Instead just kick people if thereās blatant exploiting going on (like insane walkspeed, or something) ā that also avoids false calls, because, for legitimate players, getting kicked is a mild inconvenience, while getting banned is a giant pain for innocent people who might have been the victim of a bug, or some screwy exploiter detection logic, instead of an actual exploiter
1 Like
I think this is also just completely stupid, and a waste of your time. What if thereās a big or something screwy in your game code, and you send āslightly incorrectā parameters? Even if, worst case scenario, an exploiter is trying to abuse your RemoteEvents, if you are handling server checks properly (which you probably are if youāre , kicking peopleā¦) then they shouldnāt be able to do any harm.
1 Like
then what is the best way?
What iāve learned from my topic was to never trust the client and let the server do everything right?
2 Likes
Yes, and thatās the point. āNever trust the clientā basically just means āverify everything on the server.ā The server should be making all decisions, such as whether a player is an admin, or whether to grant/spend cash.
The client should be used for providing feedback (e.g. GUIs, sounds, etc), sending data to the server (RemoteEvents), and handling any local physics kinda stuff, but not handling game logic.
I find that complicated to explain, though, because itās not one-size-fits-all; in general, everything important should be verified on the server, and then performed on the server.
My network philosophy is to evaluate the absolute worst thing the player could do with any logic handled on the client. If the worst case scenario for a player manipulating your local code is something harmful to the game, then you need to re-evaluate your network model.
Again, of course, there are exceptions (especially when you get into handling physics, in which case the client has to be given a degree of trust, or things are going to be more unresponsive than Windows Vista), but you never ever let the client have full control.
If you want some practical examples, feel free to reply with a situation in your game and I can tell you how I think Iād handle it
7 Likes
Thanks for replying to my message now i clearly understand how to make games more secure and safe.
2 Likes
Sure, but trolling exploiters sure is fun.
Besides, some games like PF just flat out ban you if you hack in slightest of ways, to deter future attempts.
1 Like
You should never ātrollā exploiters. If you intentionally make them mad, it gives them more motivation to try to break your game.
A simple anticheat ban or a kick is good enough.
6 Likes
are you sure about that? because luadec and unluac can only decompile localscripts & modules,
not server scripts, they canāt decompile serverscripts because their bytecode is never, and I mean never sent to the client at all.
1 Like