In designing a maze game, only the visible sections should be present on the client. For an FPS game, this would mean that wallbang shots cannot be validated on the client because the client should not have a player on the other side of the wall. To prevent observation attacks, you need to keep any logic that requires knowledge of information the user should not be aware of on the server. There are lots of topics on this forum about these attacks, and I’ve posted on many myself. They can push other players off the map, prevent death, speedhack, fly, no clip, ext. In addition, character models are naturally insecure because network ownership is giving to the client but most often just dealt with through periodic sanity checks on the server.
To prevent action attacks, you need to follow the principle of least privilege and always validate client input.
Observations: breaking game rules by finding information that shouldn’t have known.Actions: ways to manipulate server state (remote events / functions, network ownership).With that in mind, clients exploit in one of two ways: In a similar vein of reasoning, assume that everything that can go wrong will eventually go wrong. The reason this section wasn’t titled “defending against hackers” is that a change of mentality is needed to truly secure server: no client can be trusted and everyone is a hacker. This goes for website development, game development, api development, everywhere there is a “server”. The golden rule for security is to never trust the client. They can even turn walls transparent to see other players. To can also do things you can’t as a developer like cause specific types of communication never to be sent to the server (think: remote events / functions to warn server client is a hacker). They can hijack your scripts, rewrite them, or stop them altogether. However with filtering enabled, other players won’t see the same thing. If they want to kill every other player, they can. They can also see the source code of scripts in Workspace, their player, ext. They can see everything you can in studio and more, besides what is stored in server-only locations like the ServerScriptService or ServerStorage. If you keep in mind some core principles, you can discover all of what is possible by extrapolation.
0 kommentar(er)
