NOTE

Once again, this is all just my opinion, and I’m not a security expert - so please take this guide with a grain of salt.

Practical Examples#

TIP

There’s no foolproof way to eliminate hackers entirely, but there are strategies to make their lives more difficult. Our goal is to foster a fair and secure game experience for everyone.

Cookie Clicker#

Clicker games are notoriously easy to exploit, making them a perfect case study. Here’s a step-by-step guide to securing such a game.

Approach to Game Security#

• Client-Side Guesswork: Let the client invoke a click request to the server. Assume on the client side that the click has been accepted to maintain a seamless user experience.
• Server as the Source of Truth: While the client handles the immediate visual feedback, the server maintains the authoritative count of clicks.
• Periodic Updates: Send the updated click count from the server to the client every few seconds. This ensures the game feels responsive without compromising security.

Why this approach?
By balancing real-time feedback with server authority, we enhance the user experience while paving the way for effective security checks.

Implementing server-side security checks#

Once the server receives a request to validate a click, we can implement a variety checks to identify and mitigate exploits, examples:

• Interval Consistency: Monitor the time between clicks. If it’s consistently identical, the player might be using an automated tool.
• Human Click Speed: Research suggests humans rarely click faster than 24 milliseconds. Use this as a benchmark to flag suspicious activity. (comparison between the last click and the current click)
• Pattern Recognition: Look for repeated click patterns (e.g., four identical clicks followed by one variation), which could indicate attempts to bypass initial detection.
• Session Durations: Humans usually take breaks during extended gameplay. Continuous clicking for over an hour may indicate automation.
• Click Positioning: Check the click location of the click. (sent through the remote) If it’s static or repeats exactly, it’s likely a bot.
  • Distance Tracking: Analyze the distance between successive clicks; genuine clicks tend to vary slightly in position.
    • We could check if they’re clicking at the same position, or if they’re clicking at totally random positions, it’s atypical behaviour for you to click at random positions on the screen..
• AFK Detection: Periodically (e.g., every 20 minutes), require the player to interact with a UI element to confirm they’re not idle or using automation.

Obbies#

Obbies present a unique challenge in Roblox security due to their heavy reliance on player movement and object interactions, often without robust server-side oversight. This lack of server authority creates vulnerabilities that hackers can exploit, enabling them to bypass obstacles or fly directly to the end of the Obby.

Server-side security checks#

There are a few things we could do to improve the security:

• Distance-Based Respawn: Respawn players if they stray too far from the area between their current spawn point and the next. This prevents skipping large sections of the Obby.
• Sequential Spawn Point Progression: Only allow players to claim a new spawn point if they’ve already activated the one before it. This ensures progression is linear and prevents hackers from flying directly to the end.
• No-Fly Zones: Designate specific regions in the game as “no-fly zones.” If a player enters these zones while flying or using unintended methods, respawn them to maintain fair play.
• Speed-Based Section Tracking: Monitor how quickly players complete each section of the Obby. If completion times are suspiciously fast, respawn the player.

Generic Security Tactics for Obbies#

In addition to these Obby-specific strategies, we can apply general security checks to further safeguard the game:

• Position Monitoring: Track player movement. If they exceed a reasonable speed threshold, respawn them to prevent exploits like speed hacking.
• Void Detection: If a player is detected over the void (suggesting fly hacking) and a downward raycast fails repeatedly (e.g., five times in a row), respawn them.
• Clipping Detection: Monitor for instances where players clip through floors or walls. This can be identified through raycasts and corrected by respawning the player.
• Jump Exploit Detection: Use humanoid states to detect infinite jumping or other gravity-defying behavior. If this is identified, respawn the player.

Tycoons#

Tycoons are a popular Roblox genre but are particularly vulnerable to exploits, such as automated purchasing, resource manipulation, and invalid interactions. To ensure fairness and security, implementing robust server-side checks is essential.

Server-side security checks#

• Distance Validation: Verify the player’s HumanoidRootPart is within an acceptable distance of the object they are interacting with. Hackers often simulate inputs to trigger interactions remotely, so the server should validate proximity before processing the request.

• Time-Based Validation: Monitor the time intervals between item purchases. Legitimate players must move physically across the game map to access items, which introduces a natural delay. Abnormally fast purchase sequences can indicate automation or cheating.

• Purchase Cost Validation: Always validate the cost of purchases on the server. The server should be the sole authority for deducting resources and confirming transactions. Never trust the client to supply or verify purchase details.

NOTE

You can add onto this further by implementing specific cheat detections for your experience - for example, if you know the player is put into a cutscene after X purchase - don’t let them do anything until you know that cutscene is over.

General Security Tactics#

While game-specific security measures are essential, having a set of generic security practices can help safeguard various aspects of your game. Here are some examples of strategies that can be applied across different game environments.

Detection and Prevention Tactics#

• Bait Remotes: Bait remotes are a commonly used tactic to detect and deter cheaters. These remotes are intentionally placed to lure hackers into calling them, allowing the game to accurately identify exploiters and respond appropriately.

• Networking Key-Exchange System: Implementing a key-exchange system enhances security by ensuring only valid communication between the client and server. The server assigns a random, mutable key (e.g., using Random.new():NextNumber), which the client must use for requests. If a hacker bypasses the networking implementation, the key becomes invalid, causing subsequent requests to fail.

• Obscuring Remote Parents: To prevent hackers from easily locating and exploiting remotes:

  • Temporarily parent remotes to ReplicatedStorage and move them to nil after a request.
  • Rename remotes to obscure names like “Parent” or unconventional characters such as “\1,” making it harder for exploiters to target them. (You should store the remote as a variable so that you can still access said remote!)

Obfuscation Techniques#

• Obscuring the Game Environment: Rename all game services to non-standard names, as your scripts should use :GetService. Hackers often rely on game.ServiceName, and this technique disrupts poorly written exploit scripts.

• Obscuring Script Names and Parents: Change the names of scripts to make it harder for hackers to analyze your game logic. You can also temporarily parent scripts to nil to prevent easy discovery.

  • Note: Be cautious with this approach if your scripts call require post-obfuscation.

• Fake Goals and Objectives: Place decoy objects or objectives in your game, visible only through exploit tools. These traps can trick hackers into revealing themselves by interacting with hidden elements they shouldn’t be able to access.

Player Behavior and Physics Monitoring#

• Player Collision: Disable player-to-player collisions to prevent exploiters from using collision-based attacks, such as flinging others into the void.

• Noclip Detection: Use raycasting to identify when a player passes through solid objects. If detected, respawn the player.

• Speed and Teleport Detection: Implement a loop to track player movement speed and position. If a player moves unnaturally fast or teleports without a valid reason, return them to their last known location.

  • Note: This method can also help detect and address fly hacking.

NOTE

If you’re still interested and want to learn more about this subject, check out the documentation Roblox provides:

https://create.roblox.com/docs/scripting/security/security-tactics