Should a region3 hitbox be managed on server or client?

So, I currently have a local script in StarterCharacterScripts that manages the region3 hitbox and fires a remote event for the player to take damage when a valid hit is detected.
Here is the script:

local player = game.Players.LocalPlayer
local Humanoid = game.Players.LocalPlayer.Character.Humanoid
local character = player.Character
local hmndrootpart = character:FindFirstChild("HumanoidRootPart")
local DoorTouched = false


player:WaitForChild("PlayerGui")

local regionSize = 6
local heightSize = 10
local visualizeRegion = Region3.new(Vector3.new(1,1,1), Vector3.new(regionSize,heightSize,regionSize))


local visualizePart = Instance.new("Part", game.Workspace.PlayerObjects)
visualizePart.Name = player.Name.."-visualizePart"


visualizePart.Anchored = true
visualizePart.Size = visualizeRegion.Size
visualizePart.CFrame = visualizeRegion.CFrame
visualizePart.Color = Color3.new(255,0,0)
visualizePart.Transparency = 1
visualizePart.CanCollide = false



game:GetService("RunService").Heartbeat:connect(function()
	
	wait()	
	
	visualizePart.Position = hmndrootpart.Position
	
	
	local PlayerSearchRegionTest = Region3.new(visualizePart.Position-(visualizePart.Size/2),visualizePart.Position+(visualizePart.Size/2))				
	local parts = workspace:FindPartsInRegion3WithWhiteList(PlayerSearchRegionTest, {workspace.CurrentCamera}, 1000)
	
	for partIndex, part in pairs(parts) do 
		
		if part:FindFirstChild("Attack") or part.Name == "PunchHitbox" then									
		local dmg =	(part:FindFirstChild("StatMult").Value * 10) * part:FindFirstChild("AssetMult")
			game.ReplicatedStorage.Remotes.TakeDamage:FireServer(dmg,Humanoid)
			
		end			
		
	end		
	
end)

I don’t know how safe exploiting wise it is or how efficient it is and I would like some advise.

Thank you for your time :slight_smile:

This depends more about how the script works and how do you want it to work, as you said it contains a RemoteEvent, so it will fire the server anyway, with server script you will have to change most of the script and you arent allowed to fire server, basically going to your question depends of how script works and how you want it to work, as i see your script has no problems to be a LocalScript, more if it fires an event to take humanoid damage, if you change it to server should be the same but without events, hope this helps.

1 Like

Hi! So you were definitely right to be concerned about the potential exploitation here. What an exploiter will probably wind up doing with a system like this, is they’ll go ahead and overwrite the :FireServer() method on their client, allowing them to gatekeep what actually reaches the server. This would effectively give them immunity from the attack, since you’re basically asking them to report themselves instead of handling detection from the server.

What’s far more concerning is that you’re having them send over their Humanoid as well, rather than just grabbing it through the requesting Player. I’d hate to think that an exploiter could send over someone else’s Humanoid, and have the server kill them.

Having them decide how much damage they take is also a bad idea, as depending on how you actually apply that damage, they may send over a negative number, and abuse the remote to heal themselves.

For these reasons, and probably more, you shouldn’t be leaving any of this up to the client.

To be honest, I was also concerned about hitbox expanding options, but, there are so many risks, I will just change it to server.`