Cheat Protection Stages

Another post about cheat protection, copied from the Unity forums for future reference.


[Cheat Protection] is a broad topic, with different stages of protections that you should be aware of.

Server Authority

It would be wise to implement almost all game logic with server authority first, before worrying about client sided anti cheat. For example, if a player's health is client authoritative then no amount of client sided anti cheat will protect you from hackers attaining god mode. Where as with server authority, you would not ever ask the client about the current health. Instead, the server would tell the client about its health and make all decisions related to health, and validate all of the client's requests related to health. For example, when requesting to use a potion, always ensure the player actually owns that potion, is not dead, etc. This essential makes health unhackable, unless you are able to access the server machine. However, certain aspects like movement can be quite hard to make both responsive and secure. It's certainly possible to implement all of your game state with server authority. Even for movement, where you might move the client immediately, send the movement to the server, validate if the move was legal, and then accept / reject it.

Minimizing client information

That being said, clients may still gain advantages by simply reading state from memory without manipulating it. For example, if your tactics game accidentally keeps all of the enemy's positions in memory, then hackers may attempt to extract it for their advantage. In this case, it would help to only send relevant information to the client. For example, many netlibs provide customizable interest management. You could implement Raycasting with some tolerance in order to check if a player sees another player's units. Otherwise, don't even send it to the player at all (in which case it can't be extracted from memory).

Client sided anti-cheat

Anti Cheat with Mirror

Note that Mirror is server authoritative by default. Interest Management & SyncMode may be used to minimize information sent to clients.

Last updated