Should I make the sound play in a server or local script

Should I make a sound play by a server script or a local script I’ve heard people saying server scripts are way harder to exploit then local scripts and Local scripts can make less server lag but I’m worried if someone exploits an inappropriate sound and my game gets gone please help me. Thanks for reading :slight_smile:


These aren’t related thoughts, you’re overthinking things a bit. You’re just playing a sound and that’s your own code, it doesn’t matter which environment plays the sound – pick one that seems most appropriate to your current use case.

The exploitability of code doesn’t necessarily rely on which environment you have the code running on but rather how the client is able to influence their own machine to take advantage of weakness in poorly architectured code, most prominent example being remotes with no validation or sanitisation. A Script isn’t any less “exploitable” than a LocalScript; clients simply aren’t sent the bytecode of Scripts and therefore can’t see its contents. Exploitability is based on the system, not code visibility.

Same goes for your worry about exploiters playing inappropriate sounds, if that happens then you have badly structured code where a client can tell the server to play a sound via remote authoritatively or for whatever reason you turned off RespectFilteringEnabled in SoundService which will cause sound playback to replicate to other clients – in that case though, the sound still needs to exist first as created by the server.

Taking a step back even further about your exploit worry, due to the privacy update exploiters wouldn’t be able to play inappropriate sounds regardless of if they can take advantage of a defect in your code structure. The sound would either need to be public thus granting access to all experiences to use it or access would need to be granted for the experience to use the sound and I trust you aren’t going to randomly allow that to happen.

So in short, you shouldn’t be thinking about exploits here. Think about which environment it’s most appropriate to have it running from and play it there.


As @colbert2677 said,

You could put it where ever it seems good to you.
Even if exploitiers have access to those sounds, it doesn’t matter.

Plus, the recent audio update prevents them from playing abusive/inappropriate songs.

1 Like

Just as with any other object or value on the server, placing sounds on the client (in a LocalScript) will lower the amount of replicated data that needs to transfer from the server to the client, particularly if the properties of that object (like volume or pitch) and changing frequently.

In terms of exploit prevention, you should not trust any data that the client sends to you, which for sounds would just be the properties of the sound that the client is using (again like volume, pitch, time position, etc.) It would be very unusual for the server to request this data from the client, but I thought I would mention it to be thorough.

The client can change anything on their local device & local scripts, but other players would not be aware of those changes, as long as you are getting that modified data from the client. (With the exception of client input and network ownership, this shouldn’t really be happening anyways.)

Thank for your reply! I’ll definitely benefit from this!