roblox-client-server-networking-and-security

Core sources: https://create.roblox.com/docs/projects/client-server , https://create.roblox.com/docs/scripting/security/server-authority (server-authority techniques), the entire scripting/security/ section (security-tactics, defensive-design, client-server-boundary, network-ownership, access-control, etc.), events/remote and bindable, plus the relevant Engine classes (RemoteEvent, RemoteFunction, Bindable*, RunService, etc.).

The Model in One Sentence

The server is authoritative for game state and simulation. The client simulates for responsiveness and renders what the server tells it. Anything that can be abused (economy, progression, combat outcomes, movement in competitive play) must be validated or simulated on the server.

Communication Tools

RemoteEvent — fire-and-forget across the boundary.

• Client → Server: RemoteEvent:FireServer(...) → server handler receives (player, ...)
• Server → Client: FireClient(player, ...) or FireAllClients(...)

RemoteFunction — request/response (yields).

• Client: InvokeServer(...) → server OnServerInvoke(player, ...)
• Server can InvokeClient (less common, has caveats).

Critical warning: RemoteFunction:InvokeClient yields the server until the targeted client returns a value. A hostile or lagging client can leave the invocation pending and hang the server indefinitely. Avoid server→client invocation; if you must use it, enforce a timeout and treat the client as untrusted.