Hi - Just a query as to how I could prevent exploiters from firing RemoteEvents that don’t belong to them // their abilities.
I have an over-all Module that relies on Client > Server firing - However, exploiters are more than capable of firing the RemoteEvents for their own needs.
How could I possibly go about protecting these? I’ve seen suggestions such as: Passwords etc.
Passwords are a horrible idea. Don’t do that. An exploiter can always read the password. This is also security through obscurity, which isn’t true security.
Your issue is you are trusting the client. Though this question is a little too broad - a little code might help out.
As said by @sjr04, passwords can be easily obtained by anyone with a little determination. Most other “methods” are also bypassable with effort, and also make working on your game a bit of a pain. Your best option is to only handle visuals on the client, nothing else. All logic should be done on the server, where it’s safe from being tampered.
If you absolutely have to handle some things (due to server lag/latency) like hit detection on the client, try to make a rudimentary anticheat on the server anyway, such as seeing if someone got hit too many times, or in a way that lag cannot cause.
The best thing you can do is to never trust the client to tell the server what to do. The client can process things locally but the server should always be validating and double checking to make sure things are correct.
What I do I change my remote event names, and the variables in the remote around and make it a little confusing every once a while to block/patch exploiters.