What can I do to add security to my remote events and functions for my Data Stores?
I've been doing my own research into how one would go about doing this, but I haven't been able to find any solutions that would stop an exploiter from injecting code to fire a remote event for my data store and changing their data.
My data store works through events fired by the client to the server, then ran through my data store which is a module script. What I'm trying to do is stop the client from being able to fire these events if they were to inject code through an exploit program which would fire the event and alter their data in the data store.
0
2 answers
The best and only way of securing information sent by the client is by undergoing checks and tests to determine whether the action that the client is trying to take is valid.
If, for example, you were giving a player an item, you would give the player the item from a server script and save the information in a data store. Then, if they equipped that item through a gui, to prevent exploiters from sending any item name over to equip, you would check if the item that they are attempting to equip is in their datastore before equipping it.
The checks you need really depends on what you are trying to do. If you were doing a cookie clicker game, where the player clicked a cookie gui for different amounts of points, you would check on the server if they were authorised to gain that amount of points each click. For example, if there were different upgrades to give different amounts of cookies each click, the server would add up all the upgrades that the player has and check if the amount of points they are trying to get is less than the total amount that they are able to get with their upgrades. If it’s not, you dont give them the cookies.
The basics are that you keep an outline of all the player’s information on the server and compare it with data sent from the client to see if they have the authority to do something. You can specify your exact problem if you still need help, and I’ll do my best to answer.
DataStores are Server Sided Only meaning only Scripts can run them and all exploits run via local scripts(Client Sided). If you have a remote event to change someone's data store you should add a "password". You can make your passwords more secure using [password salting (https://en.wikipedia.org/wiki/Salt_(cryptography)) Another way to protect remote events is to add checking measures in the script for example: hacker:
while wait() do
game.ReplicatedStorage.KickPlayer:FireServer(game.Players.iRexBot)
end
Server:
game.ReplicatedStorage.KickPlayer.OnServerEvent:Connect(function(plr, toKick)
if plr.Name~="iRexBot" then
plr:Kick("hacker!")
else
toKick:Kick()
end
end
What happened in the code is a hacker attempted to fire a remote event. An argument for onserverevent always has player as the first argument. The player argument is the person who had fired to remote meaning we can use check barriers to protect our remote from doing an action. Roblox also suggests that you should have the scripts that check for the requirements all in the server sided part and not the local sided part as hackers could fire the remote event.