+ 2

API Security System "Snake || API Scoreboard | EN, DE, FR, ES || V1.2"

Hello Community, I am currently working on a project where user scores are stored via an API on a server. The project is called "Snake || API Scoreboard | EN, DE, FR, ES || V1.2". However, since the source code is open source, there is a risk that users could manipulate the scores to illegitimately achieve the high score. One possible solution would be to execute the entire score calculation logic server-side. This would mean sending the position of the items and the player's movements to the API, and calculating the score on the server. However, this method results in a very high number of requests to my Laravel API in a short period of time, which could severely impact system performance. What other options are there to prevent score manipulation without overloading the API with too many requests?

8th Oct 2024, 11:58 AM
LassBattlen
LassBattlen - avatar
6 Respuestas
+ 5
you can check if the new score being sent to the server is "impossible" the pseudo code is not perfect, just an example if you check every time the user scores (let's assume an apple is 1 point): if currentScore + 1 != newScore then there has been manipulation if you check when the game is over (this may be a little less accurate, but not a problem with a snake game). - 2 would be the starting length with score 0, for example. expectedScore = snake.length - 2 if expectedScore < overallScore then there has been manipulation
8th Oct 2024, 2:08 PM
「HAPPY TO HELP」
「HAPPY TO HELP」 - avatar
+ 2
I will try to implement it once I get home. Thank you for your valuable advice.
8th Oct 2024, 2:20 PM
LassBattlen
LassBattlen - avatar
+ 2
I wrote a game once that had to run on the client, but I also needed security. What I did was encrypt the data to be sent to the server. Prepare an object with all the data needed to share to the server. Player name, score, date, number of kills, level, etc. Encrypt that using some secret key. Pass the encrypted object to the server. The server decrypts it and updates accordingly. As long as users cannot find out the encryption key for the data, they won't be able to hack it. For added security, the server can generate the encryption key for a given session when the game starts. Each time the user launches a game, they get a new key. The server provides it so it's always unique. It is still technically hackable, but at least it's not a hard-coded key.
8th Oct 2024, 2:34 PM
Jerry Hobby
Jerry Hobby - avatar
+ 2
You're welcome I forgot to state that the checks should be server side sorry!
9th Oct 2024, 12:22 AM
「HAPPY TO HELP」
「HAPPY TO HELP」 - avatar
+ 1
You can make it difficult to edit if you write only the score logic in c++. Then you can compile it to wasm with emscripten. The thing I use for my game and people cannot find the endpoint in chrome console under network again but everytime I changed something, I should remember the c++ to change too
8th Oct 2024, 10:24 PM
Sharpneli
Sharpneli - avatar
+ 1
api-optimization, API security, scoring-system, sever-client-communication. Lava relationship, manipulation-prevention.
9th Oct 2024, 9:32 PM
Asim Farheen ⭐⭐🤺👿👿
Asim  Farheen ⭐⭐🤺👿👿 - avatar