Securing Client-Side Hit Detection in Sword Combat

Hi, I’m currently working on a sword combat game using Raycast Hitbox v4.01. My approach involves handling hit detection on the client-side for smoother gameplay, while leaving the damage calculations to the server for security. However, I recognize the potential for exploiters to abuse this system. While I’ve implemented some basic sanity checks, they’re not foolproof.

I’d greatly appreciate your thoughts and opinions on how to better secure this system and prevent exploits, without ruining the experience of a regular player. Thank you!

Bump, since no one has responded.

at the end of the day, every hitbox is exploitable in some way. Me personally i would not do anything other than a distance check, maybe even a simple raycast (can be buggy dont trust server) because even if you do, exploiters will find new methods to abuse it.

4 Likes

Bump again :stuck_out_tongue:

limit limit limit

In the end it’s a matter of balance. Having delayed hitboxes is annoying, but being destroyed by exploiters is more annoying.

Sanity checks help, sure, but with this approach exploiters will always hold an advantage to regular players. Personally I would leave the hitboxes on the server, as to not leave any vulnerabilities. This may seem naive, but it does not have much of an effect on players with decent ping.

One thing to account for when implementing client-sided hitboxes is how they function in case of players with extreme ping. If a player has an absurdly high ping, let’s say 5000 as an example, their view of the game would be delayed by roughly 5 seconds. In this hypothetical situation, even with client-sided hitboxes, they may not be able to pass the sanity checks, leaving them fully unable to land any attacks.

Again, client-sided hitboxes are a valid approach, but they are difficult to get right. I strongly recommend leaving hitboxes to the server instead.

2 Likes

Thank you for this detailed comment. I understand that handling hitboxes on the server is more secure, but I’ve been trying to improve the experience for my players. Even with a 30ms ping, they still can’t hit as accurately as they would with client-side hit detection.

Many popular games use this approach as well, so I feel it’s the right direction.

Hopefully, as my game progresses and I create a fully-fledged anti-cheat system, it will help to mitigate any potential issues.

It’s perfectly valid to do client-sided hitboxes, there are just a lot of concerns one should address.
One alternative I would propose to improve player experience is to enlarge hitboxes instead. If your players are struggling to hit targets even at low ping, it may be an issue with the size of your hitbox.

You mentioned using a raycasting library for hitboxes, and while I am unfamiliar with the specific library, you can use something like Shapecast to achieve volumetric shapecast hitboxes.

1 Like

There is a big box that acts as a hitbox, but the problem with handling it on the server is that the raycast is not synchronized. If you were to move forwards it would be delayed and it would be behind you, and vice versa.

Well you can scale the hitboxes’ size forward as well, allowing the hitbox to reach slightly further to counter the hitbox appearing behind the player.
Alternatively you could check the player’s current move direction and speed, and adjust the hitbox position accordingly.

Keep in mind, this would be useful for lower ping users. Anything higher than 200ms would not be playable.

Switching between client-sided and server-sided hitboxes may cause inconsistencies in how the hitboxes feel to the players. It is not a good idea to switch to client-sided hitboxes for low-ping players, as the lower ping you have, the smaller the difference between server- and client-sided hitboxes. It is unnecessary.

1 Like

Sure, inconsistencies are a concern, but for high-ping players, client-side hitboxes can greatly improve responsiveness and feel.

2 Likes