Hi! I’m attempting to secure a RemoteEvent. I’ve created sanity checks but they can be bypassed by exploiters,
I’m wondering if I have a RemoteEvent that sends a key to a client every 10 seconds or so and that client uses the updated key, would that work? For example:
--Server Script
local key = "whateverthekeyis"
while wait(10) do
key = tostring(math.random(1,1000000000000)
RemoteEvent:FireAllClients(key)
end
RemoteEvent.OnServerEvent:Connect(function(player, sentkey)
if sentkey == key then
print("hooray! you did it!")
end
end)
--Local Script
local currentkey = "currentkey"
RemoteEvent.OnClientEvent:Connect(key)
currentkey = key
end)
--Stuff that occurs and then
RemoteEvent:FireServer(currentkey)
Exploiters would still be able to get the key from the scripts environment, but they could also just create their own OnClientEvent connection if they found what remote you are using.
I only have one recommendation which is to secure the remotes using other checks such as magnitude checks depending on the use case instead of creating a security key system. Anything sent from the client to the server can be altered thus making this security system useless.
Bottom line, you should avoid transmitting any information to the server from the client (other then the local player instance itself, which is internally sent) when calling “FireServer()” as by doing this you are entrusting the client.
Well there is exploits that can see all remote data traffic, and see the data being sent through them. All the exploiter has to see is the key being sent then just send the key and the server wouldn’t even know.
Using any form of RemoteEvent (Including RemoteFunctions) is a pretty bad idea if you’re trying to achieve an anti-cheat. There’s a thing called a RemoteSpy, which will allow them to check if a RemoteEvent (or RemoteFunction) has been fired, and if so, what arguments were passed through.
If you want to deal with Exploiters, here’s a few tips I can give you:
Always Enforce Local Scripts on the Server
→ What I mean by that is that whenever you have a local script, then you should also have a server
script that checks if you have the requirements met to perform certain actions (An example for this would be a shop. Exploiters could simply change their Money to 99999999999, but the Server would still see their actual money, thus not give out the item the exploiter wants to purchase)
Keep Server Scripts inside ServerScriptService
→ This is pretty self explanatory. The client (exploiter) has no way in changing or even looking into the ServerScriptService and the ServerStorage, so that’s where you would want to “hide” most of your important scripts. Never keep Server Scripts inside the Workspace, unless it’s for things that are pretty harmless (like a door sensor script that opens a door if triggered. Typically, exploiters don’t care about those things).
In short: RemoteEvents (and RemoteFunctions) are not secure as exploiters can see what, when and with what arguments an RemoteEvent (or RemoteFunction) is being fired at. You shouldn’t try and keep things secret, but rather always enforce “requirement checks” on the server to make sure that the exploiter has a hard time to bypass the requirements to perform a certain action.
For the sake of everyone reading this in the future, I want to clarify that it is secure to keep scripts in Workspace. There is a lot of false information out there that the source of server scripts get sent to the client, but that is not correct. Kampfkarren correctly explains it in this reply: https://devforum.roblox.com/t/best-method-of-combating-place-stealer-exploits/100846/4
Having said that, everything else in your reply is still very helpful - it’s just a common misconception out there that is inconveniencing a lot of developers when they could be focused on other security measures.