Closed DoctorGester closed 6 years ago
You can try to get API keys via HTTP request to your server, and then at serverside detect is server located at valve network or not (client can easily hook IsDedicatedServer)
@MoofMonkey people already successfully acquired dedicated server access with malicious intents and hacked other games. There is literally no way to protect your game from that.
@DoctorGester, btw detecting server network is the best protection now. At least there's nothing better for dedicated servers.
It is known. https://github.com/Perryvw/ValveWhitelist
Alternative option is having the engine add some tokens as a http header to lua and panoramas HTTP API's that our backends can check against, maybe JWT?
Main problem is not being able to know WHO sent the request, both in steamID for panorama stuff, and gamemode ID for lua stuff
Alternative option is having the engine add some tokens as a http header to lua and panoramas HTTP API's that our backends can check against, maybe JWT?
Really crutch. More realistic idea that Valve will add dedicated-only files.
It's not a crutch and it's a better idea in my opinion.
What, restructure how the entire steam workshop system works, which affects many games, not just Dota. or add one GC server to client packet and add a couple of lines to CScriptHTTPRequest
Now way to do this is You can try to get API keys via HTTP request to your server, and at your server you must check dedicated server key, which will be sent in the request
This would enable safe access to foreign APIs since API key files could be excluded and only the dedicated server would have access to them.