Question about client side hitboxes

I’m doing hitboxes on the client to prioritize responsiveness and then having the server validate it, however, there are a few problems. The biggest one is exploiters could change the duration and size of the hitbox the size shouldn’t be an issue since the server does a range check, but the duration is tied to the animation as I use the animation to determine when to activate and disable the hitbox an exploitable could also just use the hitbox of another attack. Not sure what I can do to prevent this on the server.

The only thing I can think of would be to require an attack to send the tick and the attack used and have the tick also sent when reporting a hit. Then check that sent tick is always incrementing and that the difference between messages is not massively larger than the length of time of the animation. And that the distance between start and hit tick aren’t unrealistic from times received. (This does assume remote events are guaranteed to fire in order which I think is what happens, but I’ve never found confirmation. Though I guess would still work most times without a known order)

you could just display fake data on the client and have the server do the actual check. for example when someone hits a player feedback plays on the client but only on that client. server side is alittle behind but checks the hit and applies the appropriate changes to health and hitboxes.

only issue with this is that players will hit and get a response but the server wont count it and no damage is dealt. this can be mitigated by either widening the range/hitbox on the server but leaving them smaller on the client