Preventing Exploiters from firing Remote Events

So yeah in simpler terms of what he said, let’s say you wanted to let someone buy something with a gui. Fire the remote event then on the server script check how much money that player has as they could easily just change the values if you send the amount of money or if they have enough when you check it in a local script. Lets say you fired true or false from the local script, then the player could easily cheat that. If you just fire the event it automatically fires the players name, meaning you could just check the players amount of cash in the serverside script and bam now that’s fixed.

No you can’t prevent exploiters from firing remote events.
Parenting to nil it’s not going to work anyway

You technically can’t. But, you can do sanity checks. Here is an example: if you have a shop, and a player fires a RemoteEvent to buy something, you would check on the server if the player has enough money for it. If you don’t do that, an exploiter could fire the event to get the most expensive item, and if you don’t have any checks, they could get it for free. but if you check, they won’t get the item.

1 Like

Exploiters are clients as well, the code they execute is executed as a local script, you can’t say “this exploiter is not a client” or “this exploiter is not executing their code as a local script”.

Just do a sanity check. Make sure the remote is fired at the right time with valid arguments.

1 Like

Have the remote in replicated storage, acquire the reference to it with a local variable and set the remote’s parent to nil. Use the reference variable to call its functions. Only stops free exploit users.

local RemoteEvent = -- Location of your remote event.
local FireServer = RemoteEvent.FireServer -- Leave this part.
FireServer(RemoteEvent, Argument1, Argument2, Argument3) -- Only change the Argument1 - 3 etc of what you wanna send over.

Basically try not to use :FireServer() as that’s what can be logged.

The way provided isn’t 100% unloggable however it is on Platforms such as Synapse etc.

Additionally, the first Argument for :OnServerEvent is the Player that fired it, what I do is make the second Argument the Player it should be.

If both Argument1 and Argument2 match then proceed, if not, kick etc


That doesn’t make sense, using . instead of : isn’t any better, : just passes self as its first argument.
If anything: it is slower, since LuaU optimizes method calls.


You can’t, sure you could get the client to have a randomly generated string but that only protects you against people that don’t know exploiting well.

That’s not how life works…
All you are doing is swapping a colon for a dot, and your doing that on the client.
Anything stored/ shared/ fired on the client is accessible to the client to read and alter;

You want to share data between client scripts, but you don’t want it to be exploited so you put the data in a string value and fire a bindable event with nothing to notify other local scripts you want them to read something… so the local scripts goes to this path of where the string value is and goes to read it by doing .Value, it can still be altered without touching the string value because the local script is trying to get data stored on the client.

It’s secure tho, as stated - it doesn’t log with hacking software such as Synapse.

what do you mean by “it doesn’t log”?

He means that scripts which only detour __namecall aren’t going to pick up the .FireServer call, which is true. But I don’t think I’ve seen such a script for a year, they all use double hooks now.

I dont quiet understand this part

Additionally, the first Argument for :OnServerEvent is the Player that fired it, what I do is make the second Argument the Player it should be.

What are “Double Hooks” ? (30 chrrrs)

A remote spy can still detect the :FireServer wont it?

You can use something called nil parent to hide your scripts if that helps everyone. You could also try obfuscating scripts which might help out. Also you can’t really stop exploiters from firing remotes.

what is a “nil parent”?

30 characters

If you don’t script.parent = nil it will be a lot harder for exploiters to find your scripts

Do you mean make the script parented to nil so I can hide my key? Or something also can you explain what you mean by obfuscating the script.

Yes you can hide your script, a capable exploiter will be able to find it but it will be harder. Obfuscating is a technique of jumbling up a script so it’s hard to read just search Roblox obfuscator and you put your script in and it does that and it will be very hard to figure out what it means. I can give you a link to one when I get on my pc.

Also this might be helpful if you want to hide your remotes Remote Objects Parented To Nil Never Fire - #3 by Dummiez