Roblox games run on a client-server model: your game logic executes on Roblox’s servers, while visual rendering and user input handling occur on each player’s device (the client). Understanding this architecture is essential for building secure and scalable games.
FilteringEnabled and Why It Matters
FilteringEnabled (FE) has been mandatory since 2018. It prevents clients from directly modifying the server’s state — meaning players cannot use exploits to give themselves infinite coins or teleport to locked areas. Any change a client wants to make must be communicated to the server via a RemoteEvent or RemoteFunction, where the server validates the request before applying it.
RemoteEvents vs RemoteFunctions
RemoteEvents are fire-and-forget: the client fires the event, the server receives it and acts on it, but there’s no direct response returned to the client. RemoteFunctions work like a function call: the client invokes it, the server processes it, and returns a value. Use RemoteEvents for most gameplay actions; use RemoteFunctions sparingly (they can yield indefinitely if the server doesn’t respond).
Server-Side Validation
Never trust the client. If a player sends a RemoteEvent saying “give me 1000 coins,” validate on the server that they legitimately earned those coins before modifying their data. A simple rule: all data modification must originate from server-side logic, even if it’s triggered by a client-side event.
Multiple Server Instances
Popular games run across hundreds of parallel server instances. Each server is independent — players on different servers cannot directly interact. Roblox’s MessagingService allows cross-server communication for global leaderboards and server broadcasts, but this requires careful architectural planning.