PSA: Stop using Roblox proxies! (roproxy, rprxy.xyz, rprxy)

For security reasons, Roblox blocks the use of HttpService to send requests to roblox.com URLs. To get around this, many developers have created and used “proxy websites” that act as an alternative to sending requests to roblox.com.

The majority of developers choose not to host and/or write their own proxy, so many of them choose to use proxies that other people host, like rprxy.xyz. Stop doing this!!

Why it’s a bad idea

  • Single point of failure

    All of your tool’s traffic relies on this one black box, which could go down at anytime. In fact, so many people used rprxy.xyz that it became so unsustainable to host it that it eventually shut down, breaking numerous pieces of code.

  • Exposing user information

    If you’re sending requests inside of a plugin or service hosted on the user’s computer, you could be putting them at risk by sharing information about them to this service.

  • Insecure

    Many Roblox API endpoints require authentication as a specific user to operate, like group ranking. To use these endpoints with these services, the developer has to send away their secret .ROBLOSECURITY token to these services, which they could use to do anything with that account, including logging in as them.

  • Fake data

    There is no way to completely trust that the data this proxy is returning is actually legitimate. It could return fake information and break your game’s code, or even worse…

    Roblox gameservers expose their own place ID through the Roblox-ID header, meaning these proxies can know which game this request is coming from. This could allow them to only mess with data for a specific game.

    Imagine this:

    • You are using a proxy service to get all clothing items in your group’s store. It returns a list of assets for you to show in your game.
    • The attacker sees a lot of requests to their proxy coming from your game’s ID.
    • The attacker looks at the group and sees an expensive item that lots of people are purchasing.
    • The attacker creates a fake copy of this item that looks similar enough to trick people.
    • The attacker forges the response data just for your game so instead of returning the actual shirt in your store, it returns his fake item.

How to fix it

Move over to Luau APIs when possible

Some endpoints that you may have thought were only accessible through roblox.com are actually available as methods, or will be in the future: List of Luau functions that send requests to Roblox endpoints - RoAPI

Host your own system

What if I told you there’s a way that you can send requests to Roblox endpoints from your own game without using a proxy??? I know, it’s crazy.
Instead of relying on your Roblox game to know how to send requests to Roblox, you can just write code that sends requests to your own web server and then make your web server send those requests for you.

One of the best ways to do this is with a Roblox API wrapper library. Without many lines of code, you can write a web API that does this. For example, here’s a short example that uses ro.py in only 10 lines of code (:exploding_head:) that allows your server to get its own player count through an endpoint:

Example
from roblox import Client
from fastapi import FastAPI

app = FastAPI()
client = Client("ROBLOSECURITYHERE")

universe_id = 13058

@app.get("/player-count")
async def get_player_count():
    universe = await client.get_universe(universe_id)
    return {
        "player_count": universe.playing
    }

You would then host this code on DigitalOcean, Heroku, or another provider and send requests to it from your server. This solution is not only better for your developers (it offloads the effort of the API requests to an external source, which is better because you can make changes without changing your game’s source)

Host your own proxy

If the above isn’t possible, this may work for you. Depending on your game’s scale, you may be able to host your own proxy using an open-source service.

57 Likes

I wish we could also use HttpRbxApiService

8 Likes

It means Public Service Announcement.

3 Likes

It is disabled for a reason.
I believe the reasoning is that requests from gameservers to Roblox endpoints are more “trusted” somehow (be it through their IP address, headers, etc) and the decision was made that disallowing these requests makes the most sense.

2 Likes

I used to use rprxy.xyz, but now I use ProxyService.

NOTE: I am not the original creator of ProxyService, it is just reuploaded by me for anyone else who would like to use it and cannot find it.

1 Like

TBH I don’t see why Roblox themselves don’t just buy out rprxy.xyz and make it an officially supported reliable endpoint. I’m sure there’re a good amount of devs who use rprxy.xyz in their projects.

Telling everyone to host their own server for such a common use case seems dumb IMO.

6 Likes

I just listed 4 reasons as to why you should do that. I think you should reread the post.

I did read the post. I’m simply disagreeing with the idea that this should be an expected norm.

4 Likes

I just made a proxy via node js that fetches the place likes and dislikes and host in on Heroku, works perfectly! Just took some time to figure out things

2 Likes

Hey! Could your help me with this too? I’m struggling lol (my discord is basicallyrbx#0800). I don’t need a lot of details, just some info on how to set it up, would mean a lot🙏

I may have misunderstood this but, your title says to Stop using proxies but at the end of your text you’re telling them how to make a proxy… This is making no sense for me, please if you could explain it a little bit better so it’s not all over the place.

1 Like

Sorry for the confusion! I’m explaining why you shouldn’t use proxies that aren’t under your control, as they are a huge security risk. If you have direct access to them and can confirm that they are safe, that’s totally fine.

1 Like

Ah, thank you for clarifying! It makes a lot more sense now.
:slightly_smiling_face:

1 Like

I just want to state that of using Heroku you should note that your app could go down because you used too much ‘dyno resources’. That means as always you shouldn’t have any important logic based around apis.

You also have a single point of failure if you only use Heroku or your own proxy too.

One thing I will add on is that you should also be very careful with how you are handling .ROBLOSECURITY in-game in the first place. Even if the proxy you are using isn’t stealing the token. Someone may find a way to steal your server-side scripts and therefore steal your token.

2 Likes

Yes, but the single point of failure is in your control! :upside_down_face:

The only way this would happen would be if the “hacker” in question already had access to the game itself (be it through Team Create, already has your token, etc).
Even so, this is why I encourage you not to use your own account for any of this.
I also encourage you to write your own API rather than a strict “proxy” so your server can be in control of the cookie and do all the gatekeeping.

1 Like

Agreed. I don’t even recommend my own proxy for production use. For development or non-critical features it generally works well, but there are occasional (<0.01%) timeouts or issues with the proxy provider I use that can result in requests being sent twice. With a self-hosted proxy or purpose-built application, these issues can be eliminated (or at least handled properly for your use case.)

I think linking your own post encouraging use of this proxy where you describe its features is a bit hypocritical, especially in the replies of a post explicitly describing why it is a terrible idea to use it (even for “non-critical features”)

1 Like

That’s a fair point, linking it has become a bit of a habit, sorry!

By non-critical features I mean something like an admin-only catalog search, where it might not be worth the cost and effort of maintaining a private proxy.

I think for all non-trivial tasks (that being those that cannot currently be done with Roblox’s methods, like :GetRoleInGroup()) a private API (not necessarily a proxy) should always be maintained.

The same issue applies in your example here - an attacker (someone who has access to the proxy somehow, like a maintainer or even someone who gained access it through an attack on that proxy itself) could very easily spot requests coming from a certain place ID and forge responses.

It’s also important not to overengineer things - for something as trivial as a list of admins that a Roblox server can query, just hosting a static file somewhere (like on GitHub) could even be better - you could even automatically update it through some external program.

It’s worth noting that you never really get rid of all points of failure - at some point you have to realize that you’re trusting GitHub with your source code or DigitalOcean with your hosting or Cloudflare with your routing or even Roblox itself with your game - but I’d rather make that point of failure a trusted, widely-used tool than a black box with people I can’t fully trust behind it.

At least with an open-source library I depend on, I can at least look at the source code and be certain that it is what I expect. For a black box, like these proxies, I have absolutely no way of trusting the code behind these proxies to not do malicious things, even if they are open-source as I can’t verify that the code running on the server is the same one I see on GitHub.

2 Likes