1, When exploiters fire a remote/function, and if the remote would respond only on the client-side, would the remote still respond?
2, How can I make checks to check if the remote was fired when it is supposed to fire? Since this whole topic can be seen by exploiters, I recommend answering this question in PMs, I am sorry but yeah, I indeed am very careful.
3, Can exploiters break the game for others as well? If so, how would they do it?
Please tell me if I should rather change it to Development Discussion!
Tough question. There really isn’t a perfect answer for this as it isn’t really possible to do it all the time. You can stop a lot with strict sanity checks and careful processing of requests.
Yes. If there are vulnerabilities in your code that could lead it to happen, it can happen.
What do you only respond on the client side? A client cannot fire a remote to themselves.
Let’s use debounce as an example. Exploiters could change the debounce in local scripts to spam fire a remote event, such as firing a bullet from a tool gun. Instead of checking their debounce status on the client, check it on the server.
Okay, thank you so much. I did not get one answer. When exploiters fire remote/function, may they use :fireServer and :fireClient or only :fireServer ? Or is it different than I think?
If they use the wrong functions to fire a remote event, an error would happen and mostly won’t break the game logic unless the game is scripted bad. Besides that, it would also ruin the client’s script.
Thank you! Last question, would names such as ‘xkasjasb’ of the remote/function confuse the exploiters on what it does? Or can they see what it does when it fires?
Still no. They can see remote events because remote events must be placed within somewhere where the server and client can access, like for example ReplicatedStorage.
Yeah they can just see the contexts they get fired in. Security through obscurity isn’t actual
security and may backfire – even you might not remember what each remote does!
Okay, thank you both. My very last question is, am I way too worried about exploiters? I am currently making ‘Add Coin To Player after picking it up’, and I have used remote event, but this remote won’t actually trigger the adding coin, it just sets a background check to ‘yes, it is allowed to be added’ after that there is something that triggers it without using remote, am I doing right?
They can look inside local scripts and module scripts and can fire remote events, but most of the time you can defend yourself against this. PM me if you would like to know more about remote event safety.
They can look inside of a module script if a local script requires it. (They can’t look inside of a module script if a server script requires it or stored in ServerStorage/ServerScriptService)
What do you mean by remote only respond on the client side? I still don’t get it.
I think that you can’t do that. Since there is no way to communicate between server scripts. If you want to do that, you have to do sanity checks for every remote you receive, and sometimes it will give false information if the player is lagging.
Yes, if there is a vulnerabilities in your code. Just don’t trust the client. Every time a remote event is send to the server, make sure to always check it.
