I’m currently working on securing my game. For a certain projectile move, a position on the client is obtained through a raycast of the mouse cursor, and that position sent as an argument for the server hitbox.
The issue is that an exploiter can use that position argument to spawn a hitbox wherever they want. How can I verify the cursor-targeted position on the server? I’m struggling because a player’s cursor position is client only.
Unfortunately there is no way to completely verify the client’s input, but you can at least try to constrain the user to a range of sensible inputs.
A naive approach is to only send the mouse position on the player’s screen then cast the ray on the server by keeping track of where their view model is (or should be).
There are a lot of ways to do this, but I think some considerations need to be made about each player’s network latency, how fast they can actually rotate their screen/mouse sensitivity is an issue, and likely some other things I cannot think of right now.
I would send changes to the client’s camera CFrame to the server, however this is susceptible to latency and you must decide how users with an unstable connection should be treated, i.e. any dropped packets can make it look like the player moves their camera very quickly.
This also creates a slight desync between where a player wanted to shoot and where they actually shot since the server is at least 50ms behind. This can be mitigated by trying to predict where their camera will be based on it’s current rotational and linear acceleration, having the player send their current CFrame just to resync it every so often incase.
Maybe send both the ray the player wanted to cast and the mouse position, recalculating it on the server, then compare how different the results were?