Securing RemoteEvents/Functions

Help and Feedback Scripting Support
#1

Securing RemoteEvents/Functions

I know this question has been asked a million times, but I have spent day’s looking through previously asked questions of how to secure your remote events.

What I usually see when looking is the following:
“obfuscate it”
“don’t obfuscate it, it is pointless”
“just secure it”
“dont trust the client”
“encrypting and decrypting is pointless”

While most of those are true such as “don’t trust the client” I want to know how I can do this without having specific scripts for it.

An Example
I click a TextButton
It fires a remote event to add money

Obviously that is super unsecure and easily exploitable, but how can I make it so that I can secure all of my remote events in one script?

#2

add checks to see if the client is eligible to fire the remote event. For example, if the click textbutton to add money example appears in the game where the player has to complete an obby, then the textbutton shows up. In this case you would check if the player is actually in the obby’s finish place, and whether they already claimed the reward (checks on the server, of course).

also, just don’t trust the client lol. If you have a sword with client sided hit detection to reduce lag, you should not trust the client when it sends a signal that it hit something. Instead add checks on the server like is the target character is reasonably in front of the sword holder. Or is the distance between the sword holder and the target reasonably close. Base these checks on the server and the server only

1 Like
#3

Thank you for the time you put into your response but I already knew that what I was tryna ask was like, could I do what you just said but without having to do checks for each event. Basically like a general purpose anti exploit to prevent exploiters from firing a remote event

#4

I dont think its possible but I may be wrong. Exploiter-fired remote events are indistinguishable from normal player-fired remote events. And the only plausible solution i can think of is detecting the exploiting software. Theres a huge thread about this, and most people say it is impossible

1 Like
#5

Thank you very much, I didn;t think to just prevent the software in general

1 Like
#6

Well, you don’t really have any great options with this example, one way would be to calculate the time between the clicks using os.time and only grant money to the player if it doesn’t exceed the time cap.

You can’t really entirely secure all of your remotes in a single way, but you can increase their security. A simple method would be to generate a random string of numbers every n seconds, use a remote function to retrieve it from the server, and then pass as an argument whenever you fire a remote, compare it to the server-sided string, and if it doesn’t match or is nil; simply deny the request. This will be easily bypassable by any decent exploiter but a script kiddie will be helpless in that situation. Keep in mind that this isn’t 100% accurate and can lead to some false detections and that’s why you shouldn’t punish players only based on this.

The thing is whenever you use remotes, it shouldn’t be specific things like giving money or experience, imagine a player’s got a 1x crate, he fires the crate remote 3 times but only gets to open it once, the way this is achieved is by having as many server-sided variables that can be checked such as the amount of certain cases player has, this gives us more stuff to perform sanity checks on, instead of having separate remotes to open a case and grant the opened item.

2 Likes
#7

Thank you very much for this response, I guess I truly just have to do indiviual sanity checks for each event, but thats no problem I just wanted to see if their was a better way