For security reasons, Roblox blocks the use of HttpService to send requests to roblox.com URLs. To get around this, many developers have created and used “proxy websites” that act as an alternative to sending requests to roblox.com.
The majority of developers choose not to host and/or write their own proxy, so many of them choose to use proxies that other people host, like rprxy.xyz
. Stop doing this!!
Why it’s a bad idea
-
Single point of failure
All of your tool’s traffic relies on this one black box, which could go down at anytime. In fact, so many people used
rprxy.xyz
that it became so unsustainable to host it that it eventually shut down, breaking numerous pieces of code. -
Exposing user information
If you’re sending requests inside of a plugin or service hosted on the user’s computer, you could be putting them at risk by sharing information about them to this service.
-
Insecure
Many Roblox API endpoints require authentication as a specific user to operate, like group ranking. To use these endpoints with these services, the developer has to send away their secret .ROBLOSECURITY token to these services, which they could use to do anything with that account, including logging in as them.
-
Fake data
There is no way to completely trust that the data this proxy is returning is actually legitimate. It could return fake information and break your game’s code, or even worse…
Roblox gameservers expose their own place ID through the
Roblox-ID
header, meaning these proxies can know which game this request is coming from. This could allow them to only mess with data for a specific game.Imagine this:
- You are using a proxy service to get all clothing items in your group’s store. It returns a list of assets for you to show in your game.
- The attacker sees a lot of requests to their proxy coming from your game’s ID.
- The attacker looks at the group and sees an expensive item that lots of people are purchasing.
- The attacker creates a fake copy of this item that looks similar enough to trick people.
- The attacker forges the response data just for your game so instead of returning the actual shirt in your store, it returns his fake item.
How to fix it
Move over to Luau APIs when possible
Some endpoints that you may have thought were only accessible through roblox.com are actually available as methods, or will be in the future: List of Luau functions that send requests to Roblox endpoints - RoAPI
Host your own system
What if I told you there’s a way that you can send requests to Roblox endpoints from your own game without using a proxy??? I know, it’s crazy.
Instead of relying on your Roblox game to know how to send requests to Roblox, you can just write code that sends requests to your own web server and then make your web server send those requests for you.
One of the best ways to do this is with a Roblox API wrapper library. Without many lines of code, you can write a web API that does this. For example, here’s a short example that uses ro.py in only 10 lines of code () that allows your server to get its own player count through an endpoint:
Example
from roblox import Client
from fastapi import FastAPI
app = FastAPI()
client = Client("ROBLOSECURITYHERE")
universe_id = 13058
@app.get("/player-count")
async def get_player_count():
universe = await client.get_universe(universe_id)
return {
"player_count": universe.playing
}
You would then host this code on DigitalOcean, Heroku, or another provider and send requests to it from your server. This solution is not only better for your developers (it offloads the effort of the API requests to an external source, which is better because you can make changes without changing your game’s source)
Host your own proxy
If the above isn’t possible, this may work for you. Depending on your game’s scale, you may be able to host your own proxy using an open-source service.
- rprxy is open-source: GitHub - sentanos/rprxy: ROBLOX Proxy
- ProxyService is open-source, albeit with a somewhat unfavorable Lua client: GitHub - sentanos/ProxyService