Opinion on the way im using events

Hello, I have two events, one is called damage and the other is called heal. When the player gets damaged the client fires the event to the server to indicate that the player got damaged/healed and then the server fires to a different client script the amount and the players name. Then the client will change the health bar depending on the values. I also have a respawn Character event and when the character dies the client fires to the server to create another one. Is there a better way to do this and not have it so exploitable?

client:

healButton.MouseButton1Click:Connect(function(heal)
	healEvent:FireServer(1)
end)
damageButton.MouseButton1Click:Connect(function(dmg)
	damageEvent:FireServer(25)
end)

server:

healEvent.OnServerEvent:Connect(function(player,heal)
	healEvent:FireClient(player, heal)
end)

damageEvent.OnServerEvent:Connect(function(player,dmg)
	damageEvent:FireClient(player, dmg)
end)

function repsawnCharcter(plr)
	plr:LoadCharacter()
end

respawnEvent.OnServerEvent:Connect(repsawnCharcter)

client2:

--when player dies
respawnEvent:FireServer()

healEvent.OnClientEvent:Connect(function(healAmount)
--damage code
end)

damageEvent.OnClientEvent:Connect(function(damageAmount)
--damage code
end)

The way you are using remote events can easily be exploitable.

You are relying on the data that the client is giving when you shouldn’t be relying on the client at all. They can easily change this value to whatever they want if it is presented to them.

Instead of passing your value as an argument in your localscript, should be trying the best you possibly can to working that value into your serverscript.

For example, you can tweak it by not including values in your arguments:

--client
healButton.MouseButton1Click:Connect(function()
	healEvent:FireServer()
end)

damageButton.MouseButton1Click:Connect(function()
	damageEvent:FireServer()
end)

--Server
--Move your values to the serverscript.
healEvent.OnServerEvent:Connect(function(player)
	healEvent:FireClient(player, 1)
end)

damageEvent.OnServerEvent:Connect(function(player)
	damageEvent:FireClient(player, 25)
end)

Then client2 would be the same.

That still wouldn’t solve the remote events being exploitable. An exploiter will just fire the remote and it will work as expected. You didn’t even implement sanity checks to begin with.

You can handle MouseButton1Click from the server (since it is replicated across the boundary) and implement debounce there so the exploiter can’t alter anything client-sided to their advantage, in contrast to client-sided debounce mechanisms and spam heal or damage.

Well yea, obviously there would be conditional statements that @peepo12343 would have to go through, but I can’t make assumptions on what those conditional statements are since I don’t know the structure he’s working with.

Also, I never said that my code would solve the problem of remote events being exploitable. Remote events will always be exploitable no matter how obfuscated or secured you make it. There is always a backdoor. This is just the first step of making your game secured.

I’m just demonstrating to OP that relying client values is bad practice because exploiters can easily take advantage of this.

But if you have a better way of doing this, I’m sure @peepo12343 would love to hear.