Prevents cheaters from exploiting server events
xaries - tekken
Source code: GITHUB
Important Notice
If you rename a script, it will no longer work properly
Features
- Player bans for all identifiers and `Player Tokens`
- Discord Webhook logs when a player tries to trigger an event with no arguments / or with an invalid token
- Using State Bags for storing data
- Fully standalone
- Well optimized ~0.00ms
Usage
Client
exports["secured"]:call(eventName, [, ...])
Required arguments
eventName: A string representing the event name to call on the server.
Optional arguments
...: Any additional data that should be passed along.
Example
exports["secured"]:call("Test", "test1")
Server
exports["secured"]:handler(eventName, callback)
Required arguments
eventName: The name of the event you want to listen to.
callback: The function to run when the event is called.
Example
exports["secured"]:handler("Test", function(arg)
local player = source
if arg ~= "test" then
return false
end
return true
end)
4 Likes
the security of the yellow gate meme,
to bypass all this stuff just call an event by adding LocalPlayer.state.token as the first parameter.
lol, nice security 
this comment was not made to insult, but to make the community realize that these kinds of “security” do not make any sense at all
for anyone who was reading, instead of trying to protect your server with this kind of “security,” follow the advice that fivem also gives: move as much code to server-side as possible and do as much server-side auditing as possible, everything else most of the time is totally useless and just as easy to get around as stealing candy from a baby
3 Likes
Dude. Why do this hassle if people just code properly
3 Likes
While this script offers some other way of protecting your events, this has so many security flaws, that its better to use normal events and secure them server-side(like Tony-Stank has said) than use this.
XenoS.exe is right, but most injectors doesn’t have access to files like *.lua downloaded from server(for example, red Engine injects into cfx_internal) they have connected to, but they can easily copy the token and send it through manually.
This will simply not help if you don’t know what you’re doing.
Hi, currently from my knowledge most executors use “Isolated” which creates their own environment and Statebag is not possible to pull out but I can agree that the system is simple. As you can see, the system does not have server > client synchronization that could cause a false bans
Hey, like the friend above i will explain a few things to you. The code is available to everyone. Anyone can change it and if you don’t see the potential here it just shows your lack of skill. FiveM offers an escrow system to everyone for free. I don’t see any obstacles to change this code a bit and create a really good protector for your events. Currently, it is the best script of its type, and it is free here on the forum. The guy who wrote the first comment is very limited if he says that this code is easy to bypass and doesn’t have much contact with the “stuff” that people use to perform events.
If you have any questions, ask them here and I will answer you. 
There are others that do the same job. So what makes this the best one?
For example, pmc-callbacks: [RELEASE] Lua Callback system
Can you define the benifets to your system over one such as the above?
Damn you’re right. This is a much better script than mine which has a different effect and is not a tokenizer
ami does not let me or use it I put everything well and puts me errors that the export has not been found in the secured script and the tokens that I do not know what it is, I imagine that it will come out to many more people, if someone works everything well to help me please
https://media.discordapp.net/attachments/1110218813326233672/1132153102083051530/image.png