Roblox

Server vs Client

• Server scripts in ServerScriptService — never trust client data
• LocalScripts in StarterPlayerScripts or StarterGui — client-only
• RemoteEvent for fire-and-forget — RemoteFunction when server needs to return value
• ALWAYS validate on server — client can send anything, exploiters will

Security

• Never trust client input — validate everything server-side
• Server-side sanity checks — is player allowed? Is value reasonable?
• FilteringEnabled is always on — but doesn't protect your RemoteEvents
• Don't expose admin commands via RemoteEvents — check permissions server-side

DataStore

• :GetAsync() and :SetAsync() can fail — wrap in pcall, retry with backoff
• Rate limits: 60 + numPlayers × 10 requests/minute — queue writes, batch when possible
• :UpdateAsync() for read-modify-write — prevents race conditions
• Session locking — prevent data loss on rejoin, use :UpdateAsync() with check
• Test with Studio API access enabled — Settings → Security → API Services