Secure global high scores table

[Pert]

Has anyone thought of a way to do secure global High Scores table that anyone could submit their score to?

My obvious worries would be
a ) people can read through JavaScript or check Chrome Dev Tools network tab to grab URL and send random scores in
b ) if a) is solved, people changing score variable from Chrome DT console (score = 1000000000) before they die, and then submitting seemingly valid scores

Any thoughts?

[austin]

Best way is to keep track of scores on a backend server, otherwise the client will be able to manipulate whatever you have. Of course, that's a huge step up from a purely client-side game...

 

You can do some stuff on the client side to make it more difficult to cheat, but it's definitely not foolproof. Wrote a bit more on this here: http://css.dzone.com/articles/developing-cross-platform-2 and I'm guessing there are some better articles out there as well

[Pert]

Well, that's the problem, to make it more interesting, the game I have in mind needs to offer some kind of competitive edge so people have reason to share it with friends.

If it was mobile only, I would not worry too much, as it will be hidden from the most basic hack attempts. But a JS game - that takes some clever engineering.

That article looks pretty promising, cheers! Will refer back to it again once I get to doing global leader boards.

[Gio]

Like austin says, the only real way to make it secure is to keep track of it on the game server - don't submit the score, have the server calculate the score based on data that the client exchanges with the server during the game. If both client and server use the same JS code (i.e. your server uses Node.js) this may be easier than it sounds.

 

Having said that, there are a couple of client-side tricks that may help. With enough dedication anything can be manipulated, but this should at least make it more difficult and stop people who aren't motivated enough / don't have enough time to invest into hacking your game scores:

 

1) Don't make your score publicly accessible: don't create a variable that you can easily get to, such as a global variable or something like game.score (where game is global). Make it private and accessible from closure scope only.

2) Don't submit the score without encrypting it: don't do things like $.post('myScore', 1234), but encrypt your url and your data before sending.

3) Obfuscate the part of your code that deals with the score and submits it.

4) Ban people's IP addresses and accounts when they attempt to cheat, before they manage to do it: if you've followed steps 1, 2 and 3, chances are that hackers won't be successful on their first attempt. Detect that and stop them before they succeed.