Guide
Exploit Detection with Tamper
Tamper tracks malformed requests automatically and lets you issue manual strikes for game-logic violations. Kick players when they exceed a configurable threshold.
Setup
local Tamper = require(game.ReplicatedStorage.RoExpress.Tamper)
Tamper:Configure({
threshold = 5, -- strikes before kick
window = 60, -- rolling window in seconds
kickMsg = "Exploiting is not permitted.",
onStrike = function(player, reason, count)
print(player.Name, "strike", count, reason)
end,
})Automatic strikes
Tamper automatically issues a strike when App or Port receives a request it can't parse | wrong method, malformed payload, invalid route. No extra setup needed.
Manual strikes
Issue strikes from your own handler when game logic is violated.
app:Post("combat/hit", function(Player, Payload, req, res)
local damage = req.data and req.data.damage
if type(damage) ~= "number" or damage <= 0 or damage > 100 then
Tamper:Strike(Player, "invalid damage value: " .. tostring(damage))
res:Status(400):Error("Invalid")
return
end
-- process valid hit
end)Threshold tuning
| Game type | Recommended threshold | Window |
|---|---|---|
| Competitive / ranked | 3 | 30 s |
| Casual / social | 10 | 120 s |
| Development / testing | 999 | 999 s |
Don't zero-tolerance. Network errors and client bugs can cause honest players to send malformed data. Start permissive and tighten only if you see repeat offenders in logs.
See also
Tamper API · Stream Guide | combining lag compensation + tamper · TokenBucket | rate limiting as first line of defence · Middleware | additional validation layer