We use cookies on this site to enhance your user experience

Security can be a concern to Roblox developers. While most of the community plays by the rules, some try to exploit games by corrupting data stores, injecting models, and more.

Fortunately, the following methods can make your games more secure.

Check Free Models and Plugins

Roblox offers a huge selection of free models and plugins, but you should be careful when using them (even the popular ones!). When using a free model or plugin:

  1. Check if the item contains any scripts (Script or LocalScript).
  2. If it does, go through the scripts and see if they do anything unexpected like add models, access services you’ve never heard of, etc.
  3. If you don’t understand the code, try to learn what’s going on. If you can’t figure it out, Roblox has an active community that can be very helpful.

Server-Side Validation

Articles/Remote Functions and Events|Remote functions and events are the best option for client-server communication, but they’re not necessarily secure channels. A clever hacker may fake a remote event or change the values that are passed along with it. Because of this, you should use basic server-side validation to confirm that the incoming request is legal.

Consider a game with a shop system. When a player wants to buy an item, he or she will interact with an interface on the client side, for instance a Articles/Intro to GUIs|screen GUI with a “Buy” button. When the button is pressed, the client can send a remote event to the server and request the purchase. However, it’s important that the server — the most reliable manager of the game — checks if that player has enough money to buy the item.

Disable “loadstring()”

You should almost always disable the Lua loadstring() function (it’s disabled by default). This function is both powerful and dangerous because it allows arbitrary and dynamic code to execute at runtime. With the ability disabled, however, any Script on the server that attempts a loadstring() call will throw an exception.

This setting can be found in the ServerScriptService properties under LoadStringEnabled.

  • security