Better way to secure game(module script vs remote event)?
In terms of a hacker that uses remote spy and other things to hack games...
I know using a remote event is a bad idea for certain things like deleting objects, but would a module script offer more protection? Could a hacker still manipulate it?
Thanks
1 answer
Neither of the said objects are there for security purposes.
ModuleScripts are just like normal lua files and are used to extend code. They have no special properties.
Remotes are Roblox's tool to easily let the developer manage networking. While you can simply call the remote objects' methods and listen to their events, Roblox is doing all the hard work in the background -- sending and handling packets.
Remotes themselves offer no protection of any kind. Without them however, you wouldn't be able to control what kind of data is being sent between the server and the clients. It is up to the developer to only send the necessary information as well as validate the data to provide the players with a smooth and secure gaming environment.
When working with networking, you have to remember that the client can see everything on their machine. This includes all the files existing on the machine, every single bit of data in the memory and so as well every single bit of data being sent or received over the network. And that's the point. What would the client do with the data if it cannot read it in any form? They however cannot use the data maliciously unless the developer lets them to.
An exploiter can also manipulate any bit of data existing on their machine. This includes the data being sent over the network. This is why you cannot rely on your client-side application to send the correct data to the server, an exploiter could've manipulated it. The solution is simple. The server performs a validation process when it receives the data. It runs one or more validations and decides whether the client is permitted to perform this action or not.
I know using a remote event is a bad idea for certain things like deleting objects
This is a totally fine use of a remote when done correctly. You as the developer need to set rules on when this action can occur. If you only want certain people to be able to delete objects in the game, the server can simply compare the requester's ID to a list of accepted player IDs. If a match is found, the server can perform thr action.
Maybe you don't want to let permitted players to delete objects all the time. Thus you want to store the information of last permitted object deletion process and calculate how much time has passed since. If it is enough, you can delete the object and update the last permitted deletion time.
0