Stuck Deciding Between Scripts, Which Would Be More Secure?
I understand the title makes this seem like a ridiculous question, but please read and give me a chance. I had to be more specific because "Script Security" was not direct enough.
Anywho, as you probably could tell this is a security related question. I have two scripts that do the exact same thing (as I have just copied and pasted) which are named InteractionHandler. They send out raycasts to check if there are any, what I've dubbed, interactables (doors, tools, etc.). They do measures and checks to see if the interactable is valid and has the basic components to function, usually just to see if the server script is located in the object.
Once the checks are done and the object is valid it sends a Remotefunction (or BindableFunction depending on the IntHandler's script type). These scripts are stored in StarterPlayer or StarterCharacter depending on if it is a local or a server script respectively. Anyway after all that explaining my question is would it be more secure to have the IntHandler as a sever sided script or a client sided?
I ask this because I believe the server script option would be best because the player is already going to be manipulating the world by opening a door, as an example. Though, I originally used a local script with the thought that anything done by the script wouldn't effect the world until the IntHandler called the Interactable's script, therefore better. I keep going back and forth and some input from some knowledgeable people would be great to help guide be into a better understanding.
I apologize if this is confusing. Please notify me if more information is needed or corrections are to be made. Thank you in advance!
-Audiimo
1 answer
Nothing on the client is secure, so you should be using server-side scripts for anything that you don't want an exploiter to modify.
See https://scriptinghelpers.org/guides/how-to-use-remoteevents-properly for some basic guidelines - just having scripts run on the server isn't secure if your RemoteEvents/RemoteFunctions let players ask the server to do anything!
I'm not clear what your IntHandler does, but let's take opening a door as an example.
So, the player is moving around and they provide input in order to open a door. To detect this input you should use a LocalScript. It could determine which door to open (if there are multiple in front of the player), it might make sure the door isn't locked before continuing (or else maybe it'll play a sound or display a message), but to actually open the door it has to send a request to the server. If the LocalScript were to try to open the door without a request, it would only open for the player that the LocalScript is running for -- everyone else would see a closed door.
So, the server receives a request to open the door. It should also perform checks -- are the arguments the correct type? Is the door that the player is trying to open within range (ex not on the other side of the map)? Is the door unlocked or else does the player have a key? If everything's OK, then the server opens the door.
0