Roblox Security & Anti-Exploit

When implementing security, follow the principle: Never trust the client. All important logic must be validated server-side.

Core Principles

1. Client can see everything - Assume all client code is readable
2. Client can send anything - Validate all RemoteEvent data
3. Client can modify anything local - Don't rely on client-side checks
4. Server is authority - Server decides what actually happens

Sanity Checks

Type Validation

local function validateTypes(data, schema)
    for key, expectedType in pairs(schema) do
        local value = data[key]