Welp after i finished all my updates ill make it public
Hey there:
Someone brought this thread to my attention, thought it was interesting:
Yes, nobody can access the module when it’s private.
Here’s my thoughts:
Leave the module public, but only have nexusban fetch the list of banned offendees
Put your API behind some authorization wall, a simple server-client handshake would do.
Make your API hard to find the endpoints - Everyone is going to try and find /ban and /unban on your api, try something a bit different.
Do you see if my site is connected, because I see no module in-game, or UI of anything, if the require should insert anything?
I put it in News Targeted [NT] Admin System - Roblox
1 Like
well the /ban, /unban api is behind a really long 512 character admin password but its in http so im screwed either way
I didnt say you would. But it is a possibility.
What happens when a user gets banned in one game due to a false detection by the game that then goes to your module? Is this module meant to be used only by manual activations by an admin of the game?
False detection that goes to my module?
ALL bans are MANUALLY made by ME
How would you be “screwed?” You’ve just told me that theres a 512 character long password? The best option is to use a header for authorization.
on http people can sniff everything. every request from everyone
its like your welcoming the stuff
If you add an api key requirement, that it has to do a handshake with the site, in order to validate the API key, that way you can make sure it’s the right place, and not abused.
That is why I did my setup that way.
Why dont you create a json on gist that contains all the banned users and then require it from a script in roblox?
thats basically what happenes but theres an api that doesnt show everything but only certain information like is he flagged and the reason
xsup9 is covering exactly what I’m saying.
Your HTTP api IS secure, and is only interceptable from the server, unless the network is tapped into, which, on roblox server, is impossible.
theres someone going around tryign to access stuff or smth
[21/Apr/2025 20:13:10] “GET / HTTP/1.1” 404 -
- [21/Apr/2025 20:13:16] “GET /robots.txt HTTP/1.1” 404 -
- [21/Apr/2025 20:13:21] “GET / HTTP/1.1” 404 -
- [21/Apr/2025 20:13:41] “GET / HTTP/1.1” 404 -
can the person trying to access my api stop or ill blacklist their ip
Are you sure it’s not roblox’s IP trying to access your site?
yea since its someone going wild and trying random urls trying to find the right one
Roblox doesn’t grab robots.txt
web crawlers are everywhere. If your api has an appropriate api key then everything should be fine?
Your api should have a protected and un-protected side with the protected side managing the bans and the unprotected side managing the traffic to the module. However how do you expect to detect all of the exploiters manually?
If you are using the Ban Service and banning alt account then it very easy to bypass. If using a VPN and getting banned on that account for example then that server wouldnt be able to be used by anyone else who wants to play while using a vpn. There are also a mass number of vpn servers meaning you can slim down the amount of users that can exploit but they could easily switch.
There is no way to properly ban users manually even with alt detection. Everything can be bypassed. What are your ideas on combating this? Just to continue manually banning them?
I suggest you use Cloudflare for all that it is worth.
Even on requests to and from roblox.
That way, you can both filter and block requests from roblox and other places.
That is why I questioned why you keep using HTTP instead of https.
I said multiple times.
My host does NOT like cloudflare so i have to do cloudflare tunneling which is 10 times harder