So exactly how secure is a ModuleScript?
I know how they function and all, but I do have a question regarding their replication from the client to server. I'm designing a shooter game with ModuleScripts in ReplicatedStorage.
This is my idea:
Player clicks shoot button, projectile and animation occur on client side (handled in ModuleScript)
RemoteEvent triggered, server script detects it, validates character's FPS, position, angle, etc (anti-exploiting stuff all handled server side). If everything seems valid then that same ModuleScript that handled local projectiles/animation will be called by the server to create the same thing on the actual server.
Is it wise to share a ModuleScript between a client and server like this? My fear is that somehow exploiters could modify it to do something different and when it's called by the server, that changed thing will actually occur on the server. Is this possible, or am I being paranoid?
I guess what I'm asking is.. if a client got a hold of a ModuleScript in ReplicatedStorage and started messing with its contents, would that change just be local to them, and the ModuleScript would still appear original from the server's perspective?
1 answer
Just think of it this way, Module Scripts are Local Scripts or Scripts depending on what side they are on. If the are in the ReplicatedStorage, I suppose they are in both. But the point is to keep important things such as data handlers/givers on the server side, as well as validate them on the server side.
Everything on the client is visible and takable since the client has their own version of the game. There are even exploits now that let you see all the functions you are calling in scripts so they can call them their self (which can affect the server yes).
I would say, don't go overboard with the protection for vulnerabilities are always there no matter what you do, but definitely don't put all your scripts on the client - especially the important ones that handle data.