My Clientside (server) Scripts and what to do with them? (Exploit protection)

Hello, I have made a bunch of scripts inside of StarterPack and StarterGui.


They are Server Scripts and from what I am aware, you can just (an exploiter) edit the scripts and cause the game to delete itself if you so chose.

I’m probably about to answer my own question: should I use individual LocalScripts and maybe a ModuleScript on the Server Side with RemoteEvents connecting them.

For example, this is currently the “HandleOxygen” Script, that edits GUI (it is in StarterGui, as a ServerScript)

local Tweenfo =

local tween
local oxygenHit0 = false

	script.Parent.ImageTransparency = (pBools.Oxygen.Value / 100) + 0.15
	if pBools.Oxygen.Value == 0 then
		local alreadyExists = false
		for _, items in pairs(script.Parent.Parent.Parent.ScreenGui.StatusEffect:GetChildren()) do
			if == "Drowning" then
				alreadyExists = true
		if not alreadyExists then
			local copy = script.Drowning:Clone()
			copy.Parent = script.Parent.Parent.Parent.ScreenGui.StatusEffect
			local tween = tweenService:Create(script.Parent.Parent.Parent.ScreenGui.StatusEffect.Drowning.ImageLabel, Tweenfo, {ImageTransparency = 1})
			script.Parent.Parent.Parent.ScreenGui.StatusEffect.Drowning.ImageLabel.ImageTransparency = 0
		oxygenHit0 = true
	if pBools.Oxygen.Value > 0 and oxygenHit0 then
		oxygenHit0 = false	
		local pbState = tween.Completed:Wait()
		if pbState == Enum.PlaybackState.Completed then
			if script.Parent.Parent.Parent.ScreenGui.StatusEffect:FindFirstChild("Drowning") then

But then how would I go about stopping the player/exploiter from just deleting the local scripts?

P.S. I probably horribly worded this question, sorry.

I think you have things a bit backward. “LocalScripts” are actually client side scripts and “Scripts” are server side.

But I have them locally, sorta, so it can edit the server side property of certain bool values, such as a bool saying that the player is underwater. Instead of them hidden from the client, in ServerScriptStorage.

“Scripts” will not run on the client.

You can do cross client talk though using remote events or remote functions.

But they will still be visible to someone that calls a print(game.Player.[Username]:GetDecendants())
and see the script and destroy it (or possibly edit it? I’m not sure about, because they could edit the script to delete the game from the server side).

I realise I can do RemoteEvents and R-Functions. I wrote this for some reason like this (a while ago) then did a tonne of research on exploiting, before continuing.

The bytecode of regular scripts in any container, including StarterPack and StarterGui, will never replicate to any client meaning exploiters can’t read or edit them in any way. The only instance that you could be compromised by an exploiter is if you used ModuleScripts with sensitive information like an API key that was stored on a client-oriented container (i.e StarterGui and StarterPack)


Is this new with the Lua (thing) that Roblox recently released? (Luau?)

Does this mean that I wouldn’t have to re-write the scripts and that it is secure as long as I don’t have any Client-side module scripts that someone can go:

while true
    for i, v in pairs(game.Players:GetDecentants)

Was written as an example and probably wrong ahah.

This is what the filtering-enabled system does; it creates a filter between the client and server so the client can’t modify server attributes. LuaU just optimized Roblox’s version of Lua (VM) and made it a bit harder for exploiters to reverse engineer games.

Requiring modules on the client will also only load them on the client, it won’t load on the server environment.

Ah, thank you, so even if I don’t store all my server script behind the ServerScriptStorage, they will be “safe”.

Cheers. This is exactly what I wanted to know.

hiding your server scripts anywhere won’t make a difference because they have not and never will send their bytecode to the client (allowing them to be converted back into uncompiled look-alike source code)

i honestly have no clue how you came up with this conclusion but since you mentioned ModuleScripts i might as well tell you that they are compatible to be “imported” in runtime via the server-side and client-side, therefore it is possible for their content to be viewed if they are not a descendant of ServerScriptService or ServerStorage

I just didn’t know. What I read up on seemed to suggest reading of the bytecode but never mentioned on what type of scripts.

I currently have all my ModuleScripts saved in ServerScriptStorage, so that shouldn’t be a problem…

But thanks!