Can you make unity webGL code unaccessible for the user?

I am building express.js arcade web app and I have made the games with unity. Whenever the user fails or completes the task in the current game I send the score using UnityWebRequest.Get and the server updates the leaderboard on the website accordingly. The games are built using unity webGL because they need to be played on the browser. This bring to mind some security questions because the code can be seen in the browser. Can somebody just send modified web request to the server that has a massive score or just edit the score and when he fails it sends the score to the server? So basically cheat very easily. If this is possible is there way to prevent it? I would prefer to keep the code hidden in the back end but I don’t know if you can do that with unity?

A WebGL app runs on the client system. Anything can be tampered with by the client. Any attempt at making a 100% secure client-authoritative app is essentially futile. Yet, most apps still work fine with plenty of loopholes because it doesn’t have enough tech-savvy users interested in cheating. So before you waste time on securing the app, first be sure it is popular enough that it warrants spending time on securing it. :wink:

Usually you’d rely on a proven framework to handle things like authentication tokens that ensure that your app has authenticated the web request (typically via private/public keys). With a secure protocol (https) you also have encryption. That is the minimum viable option and should be all you need.

More than likely, any “cheated scores” in the leaderboard are actually coming from bugs or exploits in the game, not cheaters/security breaches.

In any case, certainly make sure nobody can just call an URL via unencrypted http on your webserver with a manually entered score, something like this:
http://mydomain.com/score.php?score=1234567890

That is essentially leaving the front door open.

2 Likes

@CodeSmile

Thank you! That is a really good answer.