Securing client -> server events?


I’m looking to develop an antiexploit targeting a few aspects of the player that require input. Stuff like movement is fine (I can check that on the server), but the issue I’m facing is that I don’t know a way to grab input data (mouse clicks, buttons held down etc) server-side (probably because it doesn’t make sense to design architecture like that in the first place!)

I’m confident that I’d be able to grab user input from the client in a LocalScript, and then send that to the server via a RemoteEvent, but I’m not aware of how to secure that system; it would be easy for an exploiter to remove the LocalScript from their client and halt any data being sent to the server to validate.

Is it feasible to grab input sent by a client from the server; failing that, how would I go about securing my RemoteEvents & LocalScripts to prevent an exploiter from bypassing the system?

Thanks for the feedback!

1 Like

Keeping client scripts to the minimum functions such as mouse position and triggering remote events takes care of most common problems.

What problem are you trying to solve?

1 Like

Well, for the remotes, add some fake arguments if you want. I’ve done that on a few systems, making it mutate which argument is the invalid one. You wonder how I could’ve kept that protected, well if you run some module scripts code as the game loads, but on the client’s side, then immediately nil it afterwards, theres a bit more protection.

However… exploiters can also see nil’d & actively running code/scripts

I am curious what it is you are trying to secure from the client’s input… the amount of false positives you will go through kinda sucks…


Thanks for the replies @mc7oof and @defaultgateways.

I’m hoping to detect input from the client, ranging from the speed at which they click their mouse to whether their input is recursive (autoclickers & macros respectively).

The overall aim is a closed system where I can see what the player is pressing, validate it server-side and assign a karma score in conjunction with other modules that check things like movement speed and position, etc.

The only issue that I can see with using RemoteEvents to accomplish this is that the client could potentially delete the script that fires the event, therefore starving the server of data from the client. I could check for this server-side, and kick the player if data isn’t received by the server after X minutes, but that’s still a reasonably large amount of time for a user to exploit and wreak havoc on the server.

Hope this clarifies!

1 Like

Yeah, any form of client sided anti-exploit results in the script being deleted or destroyed by the exploiter.

1 Like

Anything from the client is suspect. :grinning:

Not sure what your ultimate goal is with a karma score, but if your just trying to prevent hacking then stick to server scripts with triggers from remote events.

The client can completely wipe out your game on their machine at any time. Just make sure nothing in your scripts requires the client to be valid. Or if it does need to be valid, then setup a quick check that runs just before your script runs to make sure the pieces you need exist and that they are what they are suppose to be.

I have a module script that I setup just for the purpose of validating important pieces to keep scripts from breaking.


That’s helpful, thank you.

I suppose that the best course of action is to check whether the server is receiving data from the client periodically, and if that fails X times in a row, disconnect the client.

Appreciate the info!

1 Like

The client can fake info at any time, including sending you what you want to see.

They might realize you want feedback and send you want you want, while with their other hand they are doing something else. :upside_down_face:

Just don’t trust the client in any way.

I test breaking things in Studio. In test mode change stuff in the client window and watch the server window for errors.

1 Like

That’s a good strategy to use.

I’ll spend a few hours brainstorming and get back to you once I’ve found a solution that fits the thread.

Thanks for the advice & feedback!

I would not recommend this. Exploiters rarely stop firing remote events. All this would do is make it so players who get ping spikes eventually get kicked after enough strikes.

1 Like