What host are you using? i bought my domain through Cloudflare, since it’s 10x cheaper than any other hosting services, and I use Contabo, (Link is an affiliate) as a VPS host, since it’s the cheapest I could find.
That way I have 0 problems with Cloudflare:slight_smile:
Also, if you add new updated files, you should put it in the main post:
Oh ok ill update the main but can i like pin posts at the top?
Nope, roblox forum doesn’t pin anything, that’s why people just edit the main post 
Also do let me know once or if your system goes live, i’d like to test it
More specifically my systems relied on high levels of trust. This was achieved with a very strict no tolerance policy that even had a popular game owner retired from being a RAE admin simply for using the RAE admin controls in their own game for non RAE related activities. The private source loading was critically essential to enforce this as I had to have everything any admin did get logged to my remote servers. The system had a multiple key exchange setup to ensure only my scripts could authenticate with my remote servers so there was negligible risk of false logs attempting to be submitted. These keys had to remain private and I went to great effort to ensure my scripts buried themselves as hard as possible server side on startup so that even a game owner could not get to them at run time. The loss of private modules only eliminated user’s services that like mine relied on secure run time execution with sensitive security keys that even the game owner could not access. It also subsequently had basically no effect on the malicious backdoor issues in the studio plugins as the malicious actors simply started paying third party services to heavily obfuscate their injection and/or execution scripts to make it so if a game owner did happen to find the injection it would not point to the true code being executed or at least would make it a royal pain to even attempt to. Paired with them burying it under multiple layers of these obfuscation injection scripts as well as the obfuscation services getting more and more resilient it eventually made the public source requirement a moot point. I will forever be salty about this as I’ve begged and pleaded with roblox numerous times through the years even so far as to talk to the admins at RbxDev conferences a couple times (maybe one, I’m not sure. Been a long time now) which essentially would go along the lines of they see and understand and would forward my information as well as the easy fixes I offered to the relevant departments but none of it ever got properly addressed. To this day there are still critically essential security needs for HttpService that the admins have yet to provide a solution for to my knowledge. It’s ultimately why I haven’t put effort in rebuilding my systems partially from offline constraints and partially for the lack of viable option to ensure logging integrity in other game owner’s games. I’d need some way to confirm that my source was not altered by the game owner (to let’s say inject malicious logs that frame an admin or player) at run time which, unless something has happened in the years that I’ve shifted my attention elsewhere, is not currently possible. The only option I would have would be to use the obfuscation services but that would introduce 2 points of failure where the service now has the code and hard-coded security keys as well as obfuscation is technically reversable to a degree. With enough time, patience, and skill there’s always the possibility of a malicious actor breaching the obfuscation and getting close enough to the source code to get the security keys. Overall a no win scenario for devs like me.
I do think roblox is trying to address the “key” situation, in the cloud now.
But I don’t think they are fully there yet.
Atm it’s mostly API keys for roblox’s own api’s and OAuth2 apps they think of.
If they did the same they do for their own API’s allowing custom API security, then we can speak of using that system in our apps.
But as always, it can take time to get things done.
Maybe @Roblox or any of the staff can clarify this, or give some positive feedback?
The gist of my suggestion was to apply a request validation method so third party servers can verify that requests truelly originate from roblox’s servers. One way would be to assign GUIDs to outgoing requests that would then be able to be used, possibly in conjunction with server’s job ids, in an api call to validate the request was truelly from roblox. Possibly with place id and time of request being the api results which should match the place id header already being sent with outgoing requests. This would at least eliminate the security risk of someone impersonating another place or attacking the web dev’s api endpoints outside of the roblox infrastructure through impersonating a roblox server request. This would give devs a point to look for if a malicious request is caught and a specific place that would have possibly altered the source code or been somehow breached for server side execution. Seems fairly straight forward to me as far as implementation and could be heavily rate limited to ensure load stays low. The ideal solution would be this security key to be uniquely generated per script interacting with the HttpService but that may be asking too much as it would be a more involved task. (Possibly a new method in HttpService to request a unique variant of HttpService that operates the same but has it’s own security GUID tied to requests instead of a server-wide one used by default) that way it’s up to the script writer and/or game owner to ensure their particular script is well secured enough to prevent impersonation. Overall I know there’s lots of moving parts to a change like this but it would be a genuinely solid change to the benefit of developers and overall another hard hurdle to overcome for malicious actors. Perhaps one day something like this can be supplied but c’est la vie, such is life. I make do with what I have and is ultimately why my system has a triple key exchange handshake with uniquely generated and hashed security key that my script would use for communications after completing the startup and authentication processes. Mostly because if the malicious actor could breach the source code, game’s datastore, and run time generated unique key that exists solely as a local variable in the server side scoped script then the game owner and roblox as a whole would have much larger problems. My server also ensured multi layer encryptions so any sensitive information would be unrecoverable in the event of a db breach which thankfully due to my personal pet peeve in security never happened to my services.
Another ambitious DevForum project executed terribly. Sips Tea
Requires: Lots of trust.
Has: Little reputation as a project
Result: Needs time to get such reputation, be it good or bad.
My position:
That’s my resume. This has been tried dozens of times; it never works; it falls apart somewhere in the chain. I’d not ban every exploiter regardless. Talking from experience here, some people simply exploit specific games, not all games they come across. ‘Protecting’ your game by banning every exploiter isn’t the most effective solution for you; if you rely on luck and the algorithm, you will be greatly reduced in audience, being that legitimately a large portion of the playerbase is, has, or will cheat someday, because some games are just far too annoying to play legitimately, be it cheating using a damn ‘AutoClicker,’ Synapse Z, AWP.gg, or whatever you make it out to be.
I’d never ban everyone from a game just because little Timmy decided to inject Xeno and load Infinite Yield FE to use ;vehiclefly on a game in which he has to drive 2,000,000 studs before achieving anything substantial.
“Just change games!” Perhaps this speaks more of you as a user, willing to spend their entire life just doing something like playing a game instead of picking the easier way out. Everyone has cheated once in their life, be it in ROBLOX, IRL, or anything, because it is a path with less resistance than the one the game naturally provides.
In short, I’d really not use this; it simply does not align with me as a whole, and I have seen previous attempts at similar ideas in communities like Minecraft, which have catastrophically failed. This also means that user data may need to be hosted outside of the platform, meaning you may need to abide by GDPR and delete that data. You will never have the level of data tracking ROBLOX can implement themselves. You’re better off leaving the banning to ROBLOX, not to the developers. Because we are vastly limited, they’re not.
As I said before, life isnt just unicorns and rainbows, you’re in the outside world, where almost everything has been attempted.
Okay here is a statement for everyone.
Okay you give your opinions.
But what do you want me to do with those.
Like, i don’t care?
Most of the times its even complaining
And no one can tell me saying in my face “quit your project” is a suggestion
If you aren’t gonna try to get feedback, theres no reason to post it here.
We try to level up your system, but if youre just gonna complain, instead of listening to suggestions, why would you post here?
Feedback…
Complaining is feedback.
You know what fine.
Everything from now on is feedback.
Got it.
please quit the project
it sucks and isnt corrupt staff proof
Nice opinion, I dont care tho.
I wont quit
And guess what you can’t do anything about it : D
im building citadel anticheat v3 and ironbrew1 lil bro
You will likely be disappointed, then. It’s very unlikely this succeeds
How dare you give actual feedback and letting the truth be known. that’s ao toxic.
Shame on you for giving feedback so others can improve their work.
iam being sarcastic if that wasn’t clear
Ill keep trying… But to build trust i need people to use NexusBan but for people to use NexusBan i need trust. Its just a loop 
