Right now, unassuming Roblox developers (especially children) are unknowingly compromising the security and stability of their games by using “proxy services” to send HTTP requests to roblox.com endpoints within their games.
Right now, Roblox blocks all HttpService requests to
roblox.com URLs. The reasons behind this are reasonable - the Roblox Lua API itself already provides many functions that interface with the web API under the hood, like
InsertService, so interfacing with it directly is unnecessary. (Presumably there are internal reasons for this as well, like game servers being given a higher level of authority when sending requests, but this is unconfirmed)
The problem is that many of the things game developers want to do with the Roblox web API simply do not have any implementation in the Lua API, including but not limited to:
- fetching the contents of a user’s inventory
- fetching the number of players a game currently has
- fetching any information about a group
Because web endpoints exist that fill all of these use cases, developers resort to hosting proxy services - ie, websites that receive web requests under some other domain, like
https://users.robloxproxy.example/v1/users/1, and then send requests to the underlying URL themselves, passing along headers and data (in this case,
https://users.roblox.com/v1/users/1), and then returning the response they receive.
This solution is a huge pain in general, but it becomes even worse when developers use public proxy services - rather than hosting their own private websites for their game, they use publicly provided services.
There are many problems with this - I outline them all in this post, but the gist is that it’s basically developers giving themselves man-in-the-middle attacks - developers are trusting these third parties not only with their own data and information, but also to not tamper with the response in any way or just outright provide fake information.
These services are also single points of failure, often maintained by solo developers who pull the plug at some point. See
rprxy.xyz, a proxy service maintained by a developer who eventually had to shut it down:
Due to issues with hosting, it is no longer sustainable to maintain rprxy.
Please consider hosting your own proxy, for example by setting up the open source project ProxyService.
The source for rprxy will always be available here.
Thank you for the support over the years. I sincerely apologize for the inconvenience.
This future is inevitable for all of these public proxy services - either they eventually become too unsustainable to run anymore, or they “become evil”.
The ideal solution is that Roblox covers all possible use cases for these features with Lua APIs or external Open Cloud-based solutions. This will take time, and I hope this happens.
My proposed solution works in tandem with this: until all proxy service use cases are covered by Lua APIs, Roblox should offer a way to send requests to roblox.com endpoints with HttpService.
This solution accepts the fact that developers will use proxies, and rather than ignoring this fact, provides a compromise: providing a Roblox-maintained alternative to these proxy services. This solution is still imperfect, but it provides a temporary solution until all use cases are filled.
As part of this solution, Roblox should alert developers using these services to update their code to point to normal roblox.com endpoints (or whatever other domain/solution Roblox provides) by a certain date. On that date, Roblox should block all requests to these popular proxy services.