Indie-Resource.com

Hi, it seems to me that in a javascript game its pretty easy to cheat via the browser’s console. Is there a way to hide objects from browser users or some other way to prevent cheating?

Obfuscation, perhaps, but then it's not 100% guaranteed. I would validate requests (if they go here) on the server end, just to be sure. If they don't, and it's a client-only thing, then you're out of luck - unless you do some hardcore obfuscation.

http://en.wikipedia.org/wiki/Obfuscation_(software)

http://en.wikipedia.org/wiki/Security_through_obscurity

This is something I've been worried about too. If you are building a game with a Node based stack what is the best route to go for security?

Verahta wrote:This is something I've been worried about too. If you are building a game with a Node based stack what is the best route to go for security?

From my limited understanding of NodeJs, it does stuff with the server (client -> server). You'd validate and sanitize user inputs and requests on the server end.

(Forgive me if I'm wrong. I've never used NodeJS)

basically YOU CANNOT prevent people to hack a javascript game. Yet you could double check each action on the server side... at the cost of an higher load on the server side.

a_bertrand wrote:basically YOU CANNOT prevent people to hack a javascript game. Yet you could double check each action on the server side... at the cost of an higher load on the server side.

You can obfuscate your code to make it harder to manipulate. But memory editors can still filter data and manilpulate it so there's a way around that too.

When putting javascript live, make sure everything is instantiated from an anonymous function, this instance will not be accessable by basic tools. Correct, lol is not accessible. Incorrect (lol will be stored in the global scope):
The only real solution is to stream the video to the client, and do all processing server-side. This would require a socket, a lot of knowledge in the graphics pipeline, and a very fast server. A major down side to this is bandwidth usage and internet speeds.

If you can't prevent script kiddies from cheating, is there a way to simply detect the alterations they make to the DOM or whatever so you can at least banhammer/suspend them?

Chris: even if you enclose your variables all the browser now have JS debuggers, which allows you to put a breakpoint where you want and then modify live the value even within a function. So no that doesn't help.

Obfuscation could somehow slow down the hacking but not prevent it.

Whatever runs on the client side must be considered un-secure, and therefore either you accept it as is, or you need to check every action on the server side.

Verahta wrote:If you can't prevent script kiddies from cheating, is there a way to simply detect the alterations they make to the DOM or whatever so you can at least banhammer/suspend them?

Nope. Well there is, but you can bypass that aswell.

That’s funny, I still find it a little hard to believe that all those huge html5 games out there are so ridiculously prone to hacking and cheating.