So I have a damage script in ServerScriptServices. It's parameters are the player and it's damage.
The reason I have "none" as the first parameter is because I'm trying to damage another player not myself
damageEvent.OnServerEvent:Connect(function(none,player,dmg) --does damage stuff end)
Would an exploiter be able to fire the healthEvent from an local script and damage any player they want with this? If so how do I make it more secure?
An exploiter can easily spawn kill every player in the server by:
for i, v in pairs(game:GetService("Players"):GetPlayers()) do damageEvent:FireServer(v, math.huge) end
You should do all the damages on the server, no remotes. Alternatively, you could do
damageEvent.OnServerEvent:Connect(function(player,dmg) --does damage stuff end)
which would only the damage the player itself.