Scripting Helpers is winding down operations and is now read-only. More info→
Ad
Log in to vote
0

How to make a remote event secure?

Asked by
KaptonGames 11
5 years ago

I have this on the server-side:

ReplicatedStorage.ChangeParam.OnServerEvent:Connect(function(player, param, new, folder, save)
    if folder == "leaderstats" then
        player.leaderstats:FindFirstChild(param).Value = new
    elseif folder == "data" then
        player.data:FindFirstChild(param).Value = new
    end
    if save then
        save_data(player)
    end
end)
-- Where save_data(player) saves the data.

and can be called in the client-side with:

ReplicatedStorage:WaitForChild("ChangeParam"):FireServer("has_done_intro", true, "data", true)

The thing is, a guy yesterday told me that this is very insecure against hackers and can be easily exploited. How can I make it more secure, and what's exploitable about it now?

0
You simply can't. DeceptiveCaster 3761 — 5y
0
So there always will be hackers? KaptonGames 11 — 5y
0
You might want to look at https://forum.scriptinghelpers.org/topic/112/how-to-use-remoteevents-properly hiimgoodpack 2009 — 5y

1 answer

Log in to vote
1
Answered by
ScriptGuider 5640 Trusted Moderation Voter Community Moderator
5 years ago
Edited 5 years ago

You Can't.

Nothing on the client is ever "fully" secure. This isn't just a "ROBLOX thing," this is everything. The client is the local computer executing the code (your computer), and if you have access to that computer, anything is possible.

The secret isn't to secure the client, but to make sure that the server never trusts what the client sends to it. By "never trust," we mean don't code your game like this:

Client: fires remote Can I have 9000000 points please?

Server: Uhhhh SURE! Here you go!

Client: Thank you :)

Instead, your game should be coded like this:

Client: fires remote Can I have 9000000 points please?

Server: Hmm, that's a lot of points to award you all at once for seemingly no reason. Let me check to see if this is a legitimate request...

Server: Yeah I don't think I'm going to award you those points.

Client: Dang it... The creator of this game must know what they're doing...

What's the Solution?

Silly dialog aside, this is really how your game should function. Make sure the server that's receiving the data from a client checks to see if what the client is asking for is legitimate. You may not be able to make it a perfect fail-proof process, but it surely is better than nothing. If you do it right, you'll be happy with the results.

I hope this was able to provide more insight on this topic. If you have any other questions, just let me know.

0
Can I just send some encoded key with the remote event and decode it in the server etc.. KaptonGames 11 — 5y
0
That wouldn't matter because the client would have the key. Encoding it wouldn't even matter because the key is arbitrary. ScriptGuider 5640 — 5y
0
But what if only the server knows how to decode it? (Like a secret algorithm that only the server knows) KaptonGames 11 — 5y
0
Ops nevermind, I'm stupid. I get it. KaptonGames 11 — 5y
Ad

Answer this question