The application of this is pretty irrelevant, however let’s just suppose that I have a 3rd party server that can receive HTTP requests from various games on Roblox, with no sort of validation as to who is allowed to send these HTTP requests. It is a public service. Hypothetically, is there a way to verify information being sent from the server as originating from the client (ie: client chat messages, client movements, etc)? I need to be 100% positive that the server does not spoof client actions. I have thought about using digital signatures or public-key encryption of some sort, but neither method is really applicable for this. Any ideas?
1 Like
If I’m understanding the question right, I would just tag it with some sort of Player data that you can use to authenticate it. Maybe Player Id? If the data is being sent from the game, you could tag with a unique code specific only to either an individual server or the game itself.
Well yes, but the problem is that the server sending the httprequest could forge data by appending false data with a valid playerid. I could get around this by using asymmetric encryption, but the client’s private key would need to be inaccessible from the server so that any encrypted request is assured to originate from the client.