I have a dedicated server and a node.js WebSocket server running in a Linux platform.
I have a client build (Development) running in Windows platform.
All WebSocket transactions are coded in GameMode. From what I understand is that GameMode exists only on the Server.
The weird thing is that even though the client is not connected to the dedicated server yet, it connects to the WebSocket server which is coded only in GameMode class.
So the main question is: Why does my GameMode code running on a client build (not connected to the dedicated server yet) given that it exists only on the server?
The most important parts for your question say that GameMode exists on dedicated servers, or listen servers, and on single-player game instances, but not on pure client instances when they are connected to a server.
Client act as their own server (standalone) while they are not connected to a server. While a client is connected to a server it won’t spawn a GameMode though.
This is called “security through obscurity” and doesn’t actually work.
If there are secrets that the client must not know (such as random seeds, encryption keys, credentials, etc) then they should be provided in configuration files that live only on the server, they should not be built into the code.
Unsure if you refer to the GameMode only or my suggestion too?
Using the preprocessor UE_SERVER is not obscuring the code it is excluding it completely from Client builds.
The same is true for Server only Plugins. If done correctly the plugin is not packaged with anything except the Dedicated Servers.
Using server only config files is another possibility but that is only for simple stuff like configuration and keys.
My preferred option for keys is not even storing it in a config file but inject it during the Build Process.
I was largely referring to the GameMode – it’s fine to have “server only code” that doesn’t get shipped to the client.
However, if the reason you want “server only code” is that your security depends on the users not knowing how it works then that’s never a good security model. You will have developers who leave the team, and who remember how it works. Players will look at requests from your client and responses from the server, and figure out how it works. Anything secret, has to be akin to a password, key, strong random seed, or similar piece of data.
Anything that is actually a “root” of your “trust” should be a small piece of configuration data. If you “inject it during the build process” then it’s part of the executables, which means you for example can’t rotate keys without re-building all the binaries.
It also means that you can’t use a standard secrets management solution – your entire server binaries are now your “keys” (secrets) and thus must be managed as such, which is typically not really feasible.
This is not a “matter of opinion” by the way, it’s a clear security design approach that’s been learned the hard way by the entire computing profession over the last 50 years of networked computers. Your system should be 100% secure even if the attacker has all the source code and a copy of all the executables/binaries/libraries/plugins. Ignoring it is not a good idea.