Obfuscation isn't security — and what we do instead.
We get the question every release: why aren't your scripts open source? Here's how we actually protect server stability without leaking attack surface.
Every time we ship a release, the same question lands in our DMs: why aren't your scripts open source, and why is the bundled Lua minified?
It's a fair question. The short answer is that we sell licensed code, and we don't want the deploy key from one server to mint a thousand bootleg copies overnight. The longer answer — the one worth writing down — is that obfuscation is not security, and pretending it is gets you owned.
What obfuscation actually buys you
Obfuscation buys you time. That's it. A determined attacker with a Lua decompiler and an afternoon will get back something readable enough to monkey-patch. What obfuscation can do is raise the price of a casual leak — the kind that happens when someone pulls your resource off a stolen server and re-uploads it to a leak forum.
That's a useful price to raise. It is not the same thing as defending against an attacker who has actually compromised your server.
What we actually do
Three layers, in increasing order of how much they matter:
- Per-server license keys. Every resource is keyed to a Cfx server license at build time. Pull it off server A, drop it on server B, and the bridge refuses to boot. This is the layer most servers feel — and it's also the easiest to defeat with a determined enough attacker. We treat it as friction, not a wall.
- Server-authoritative state. No client-side decision matters. The mechanic shop computes prices on the server. Inventory transitions happen on the server. The client gets a UI and a notification — never a source of truth. This means even a fully cracked client build can't grant itself a million dollars; the only way is to compromise the server, in which case all bets are off anyway.
- Minimal client surface. The client bundle is small on purpose. Less code on the player's machine means less attack surface, less to reverse, and less to leak. When a feature can live on the server, it does — even when the latency hurt is real.
What we don't do
We don't ship anti-debug. We don't run integrity checks against the player's CitizenFX process. We don't try to detect Cheat Engine. All of those are a treadmill: the cheaters update, you update, the cheaters update, and nobody is materially safer. Worse, they generate false positives that ban paying players and make your support queue miserable.
If you're getting cheated on, the answer is almost never "make the client harder to reverse." It's "stop trusting the client."
What this means for you
If you're evaluating a FiveM script — ours or anyone else's — the question to ask the vendor is not "is your code obfuscated?" It's:
- Where does the authoritative state live?
- What happens if I delete your client bundle and replace it with my own?
- Can you show me an event your server validates before mutating state?
A vendor who can answer those three crisply is taking your server's safety seriously. A vendor who pivots to "well, our bundle is encrypted" is selling you a smoke detector with the batteries out.
We'll keep shipping closed-source code, because that's the deal we make with the people who pay us. But the security you're getting from us has almost nothing to do with the fact that you can't read the source. It comes from the fact that we don't trust the client we shipped to you, either.