Security can be a concern to Roblox developers. While most of the community plays by the rules, some try to exploit games by corrupting data stores, injecting models, and more.

Fortunately, the following methods can make your games more secure.

Check Free Models and Plugins

Roblox offers a huge selection of free models and plugins, but you should be careful when using them (even the popular ones). When using a free model or plugin:

  1. Check if the item contains any scripts (Script or LocalScript).
  2. If it does, go through the scripts and see if they do anything unexpected like add models, access services you’ve never heard of, etc.
  3. If you don’t understand the code, try to learn what’s going on. If you can’t figure it out, Roblox has an active community that can be very helpful.
  4. Even if you’re pretty sure the code is safe, watch carefully when testing your game, both in Studio and when it’s published to Roblox. If you notice strange behavior after adding a free model or plugin, delete it and see if the problem goes away.

Server-Side Validation

Articles/Remote Functions and Events|Remote functions and events are the best option for client-server communication, but they’re not necessarily secure channels. A clever hacker may fake a remote event or change the values that are passed along with it. Because of this, you should use basic server-side validation to confirm that the incoming request is legal.

Consider a game with a shop system. When players want to buy an item, they will interact with an interface on the client side, for instance a Articles/Intro to GUIs|screen GUI with a “Buy” button. When the button is pressed, the client can send a remote event to the server and request the purchase. However, it’s important that the server — the most reliable manager of the game — checks if that player has enough money to buy the item.

Disable “loadstring()”

You should almost always disable the Lua loadstring() function (it’s disabled by default). This function is both powerful and dangerous because it allows arbitrary and dynamic code to execute at runtime. With the ability disabled, however, any Script on the server that attempts a loadstring() call will throw an exception.

This setting can be found in the ServerScriptService properties under LoadStringEnabled.

  • security