SomeKindaHackrMan
commented
1 month ago maybe instead of having the api key spread around and public lua script, create a new version that isnt allowed to POST at all to the server and its only purpose is to GET hashes and check objects. with that said there would need to be another version where whitelisted users can go around and collect script samples.
Maybe having an endpoint where the client can GET the api key and store it locally\dynamically so its not stored in the script itself. Although this isn't much more secure its just another step someone would have to take. it could also make it easier for a malicious actor who isn't using the client to get the api key and try to send malicious sql