How to protect Leaderboard High Scores in a simple HTML5 Game

From the Asset Store
Adventure Quiz interactive (Questions and answers via Json)
  • Hi,

    I have a simple game like Flappy bird where you also collect coins of different values, the value is visible on the coin to collect.

    The problem is that the score is sent at the end of the game to the server via an HTTPS request, but this is easily cheated sending the request by hand on the Browser looking at the network log.

    I was thinking on what would be the best approach to solve this dilemma?

    I'm using PlayFab as the server, they provide server side code.

    Anyone solved this problem?

    Thanks

  • Hey eka, I don't want to distract the topic but couldn't find a DM feature on the forums, so I'm replying to you.

    I'm working on my first game, and I'm a novice in programming, but can follow instructions.

    I want to implement an online Leaderboard / Highscores system to my game also, but couldn't find any recent tutorials / posts for C3.

    How did you do yours? Can you please point me towards a guide / tutorial (if there is). I'm not concerned for the security part (yet) :))

  • This is a difficult problem.

    The gist of it is that the client should never be trusted, the server is the only source of authority. As such the server should always perform validations on a score before it deems it valid.

    That is the difficult bit, what is a valid score? That is completely tied to each game and depending on it's logic it might be impossible to determine if a score is fake or not. Even if you can determine if a score is fake, how can you handle a client sending the maximum valid score every time?

    Short story, validating a single value sent over a single request is difficult if not impossible.

    Possible solution:

    I guess you could try using web sockets so the client communicates constantly with the server about what it is doing, sending messages each time the score increases. When the game ends the client could send a message saying the game ended and the server can tally the final score.

    If a client get's funky and starts sending too many messages to increase it's score, you can determine it is trying to cheat. Sending messages with score amounts you know can not happen in the game? Cheater. Like that there are many things the server could do to spot unusual behavior on a client.

    The problem with that approach is that to send a valid highscore you need a stable internet connection, if you don't the server can't make real time validations, so it won't accept any scores. This might be a compromise you are willing to make, you could have two modes, "For fun" which does not perform real time validations and can not save highscores, and "For score", which does all the validations but needs the stable connection.

    Maybe there are easier solutions, but can't think of them right now. Good luck!

  • Try Construct 3

    Develop games in your browser. Powerful, performant & highly capable.

    Try Now Construct 3 users don't see these ads
  • Hey eka, I don't want to distract the topic but couldn't find a DM feature on the forums, so I'm replying to you.

    I'm working on my first game, and I'm a novice in programming, but can follow instructions.

    I want to implement an online Leaderboard / Highscores system to my game also, but couldn't find any recent tutorials / posts for C3.

    How did you do yours? Can you please point me towards a guide / tutorial (if there is). I'm not concerned for the security part (yet) :))

    Hi

    If you want multiplatform you can use Playfab that they provide free accounts and they have a Javascript SDK that you can use from Construct 3... But bear in mind that the sending Highscore thru web game can be *easily* hacked.

Jump to:
Active Users
There are 1 visitors browsing this topic (0 users and 1 guests)