For a Script Module that reward players currency, should I just put that in the server storage and have a RemoteEvent, to access the value to be rewarded, so that the exploiters cannot alter that value? I'm afraid if I don't code everything on the server, hackers will take over my game.
Any suggestions for this particular case and future cases that put in server or replicated?
If you can abuse it, put it on the server. Never trust the client, don't trust what comes through a remote event. If you have a remote event telling the server to reward x cash, an exploiter can come in and fire to the server "yo give me 1000000000000 cash thanks in advance".
For what should and shouldn't be local, it's relatively simple. If it won't affect other players, (like UI) you can keep it local. If it affects other players (like having money) then you should try to keep as much of it on the server as possible.
Related devforum posts: Exploiting Explained, Requests vs. Demands, Comment on a post about Filtering Enabled