I have been doing some research on the capabilities of exploiters, and I have a few questions regarding best practices to ensure that they can do the minimal amount of damage in my games. I’ve been reading that exploiters can send false/malicious data through remote functions/events and that my local scripts and GUIs should have protections on them. However, I’m fairly new to local scripting and am not directly aware of what some of these protections should be. Does anyone have any tips on how I can best secure my local scripts and GUIs? Also, if you have any additional tips on protecting my game from exploiters, I would be eager to hear.
Sanity Checks is method, with which you check the signal that came from client. Is the Data Valid? Is the item in Player’s Inventory? Is their position near the Part? and so on. Read more here.
Never trust the client
I’ve been using this term for a long time. Basically just don’t trust the client. Take it that the Client side is basically ‘open-sourced’ and everyone (hypothetically) can change your code.
With these methods, you can make your game safe. Then of course, you will need to write your own anti-cheats but that changes per game.
You may want to read over these community resources because they explain exploiting more in depth:
Never trust the client
Exploited have full control over their client meaning you should never trust the data the client has sent to the server and always assume it has been tampered with. You should also avoid trusting the client with anything important like controlling their own data because exploiers will be able to modify it. Exploiters can fake remote calls, control all remote traffic in and out of their client, modify/tamper with anything they see including all gui’s and game geometry/objects, execute various scripts and software on their client and move their character freely because they have network ownership over it ect.
What could be done to protect your game against exploiters
You should try and make your server bullet proof with various checks to help stop exploiters messing with your game. Whenever a client fires a remote always have server sided checks in place to validate the data and to check if the remote call wasn’t faked because exploiters can freely fire remote events.
Have server sided anti-cheats and maybe some client sided anti-cheats depending on your use case(client sided anti-cheats will only stop some script kiddies and wont stop all exploiters). Anti-cheats could involve checking the players walkspeed by checking the distance the player has moved in a given amount of time and if they moved too far teleport them back.
Try and design your server and client model to have all the important features on the server so that if an exploiter changes anything on their client it wont have any impact. Generally the client should only be responsible for input and visual changes.