Need quick clarification on what the client can and can not "see"

Firstly (and rather admittedly) I will apologize if this thread’s question didn’t exactly fit in the most ideal category. Also, and to my surprise, I looked for about an hour for an answer to a question of mine but there doesn’t seem to be any as far as I know.

Anyhow, for the quick question -

Is a player’s client able to modify/delete (or create another even) a Billboard Gui located in game.workspace? I have absolutely NO remote events linked to either server or client in this - The Gui is created on a server script and then cloned to a holder object (an invisible part) in workspace. From what I have tested, the Gui displays seamlessly when the adornee is set to a desired Player’s character. The text, color, and strings are also set in the server beforehand via the server script.

The main point of this question is for me to be informed of how this can apply to any other Gui/player tracking methods can be more secure from exploits/ineffective data use and ease of comprehension.
(Also, This is something I really need to know right now because it’s just good practice for me to know from here on.)

Yes, an exploiter will be able to create a Billboard Gui within workspace and edit a current one but it will only be visible to them and nobody else.

An exploiter can access and view things in Workspace and ReplicatedStorage as well as run client sided code however they can’t touch anything on the server and if they modify something the server can view then the server won’t see that change.

Hm. I see. So if that exploiter does change any of the Billboard’s Textlabel’s Text (Even those of other players [Because the invisible workspace part holds Billboards for each player’s character in the server)
Only their client will see the changed text, while another player - a non-exploiter, would just see whatever text I set it to from the server as normal?

Yes that is correct, anything the client does (with some exceptions such as player character replication and others) will not replicate to the server and will not replicate to any other client.

Also this should be in Scripting Support (I believe)

Yes, this is exactly the case here.

Chances are if your not using Remotes there isn’t a vulnerability.

Thank you both for your help! But before I go back to working, @Mystifine, may you tell me more about that Player character replication and maybe give me one other example of those exceptions? (I’m sorry, I’m paranoid when it comes to the crazed world of exploits)

I promise I’ll be off after, no worries.

As long as you’re keeping the general rule of thumb when it comes to coding you should be fine. Just remember:

1. Never trust the client
2. Never trust the client (again)
3. Always make sure to use if statements to check if certain conditions are possible
4. Never trust the client

As for character replication, when players move it is replicated to the server since this is necessary, this is why speed exploits, flying and other exploits related to the local character is replicated to everyone else. The solution would be to build a defensive script against these. The character player will replicate to the server (position,cframe) but adding new instances from the client to the character will not.

Alrighty! Sounds great! I do checks on the server from the remotes the client fires ( which only send strings or Player objects) so I think I’m good!

Thanks for the replication explanation, I will probably take a ton of time to build an anti-exploit for the character replication last (As the game is not public yet), but then again, thank you both for clearing things up!

I’d be glad to help you with that as I’ve already built client sided anti exploit which should keep majority of exploiters that don’t know how to professionally exploit (and just copy paste code from others) out.

Personally what I’ve done is if there is any suspicious activity on the client the client will notify me on a Discord Server (by telling the server first) and telling me the logs such as the character Velocity, Click Rate and other stuff.

Also make sure to randomise your local script names so they can’t just delete the anti exploit . (For this to work you’d have to preload all modules before hand in a table or somewhere)