HTML5 will be widely adopted as a way to design games, is the prediction. But I have my questions about this: how can an online HTML5 game ever be secure?

Let me give you an example: imagine this platform game where you gain badges when you win, for example, an extremely hard level. When you have actually won this badge, a request is made to the server, in order to update your online profile. Isn't it extremely simple for a hacker to just send this request and gain the badge, without playing the actual game? Because:

• The client-side source code is visible and impossible to hide
• It is possible to execute Javascript from the mand-line

I don't see a way to prevent this hacker from gaining his badge... Is there any way to make this game safe?

HTML5 will be widely adopted as a way to design games, is the prediction. But I have my questions about this: how can an online HTML5 game ever be secure?

Let me give you an example: imagine this platform game where you gain badges when you win, for example, an extremely hard level. When you have actually won this badge, a request is made to the server, in order to update your online profile. Isn't it extremely simple for a hacker to just send this request and gain the badge, without playing the actual game? Because:

• The client-side source code is visible and impossible to hide
• It is possible to execute Javascript from the mand-line

I don't see a way to prevent this hacker from gaining his badge... Is there any way to make this game safe?

• javascript
• security
• html

• Flash games have the same problem. Related (Flash): stackoverflow./questions/477258/… – Pekka Commented Aug 9, 2010 at 9:03
• Related (Flash): stackoverflow./questions/1666213/… – Pekka Commented Aug 9, 2010 at 9:03
• 2 I don't see how it's essentially any different than desktop or even console gaming. – aib Commented Aug 9, 2010 at 9:04
• 1 @aib the essential difference is that data is sent from and to the server and this data can be easily eavesdropped on. – Pekka Commented Aug 9, 2010 at 9:05
• 1 @Pekka and others: Great, thanks! Enough to read and I didn't think about the fact that all games have this problem! – Harmen Commented Aug 9, 2010 at 9:11

3 Answers 3

Yes, if you designed your game like that, it would be very easy to hack. But why is this specific to HTML5? You could do that with any type of game that was written like that. Even with a native desktop game you could still fake the request. The only difference is that faking HTTP requests is easier than reverse-engineering requests made by a desktop game.

The solution would be to add some kind of "validation" to the victory--the actual algorithm would vary from game to game. Maybe have the server track the game's progress while the user is playing. If it were a game of chess, for example, you could send every move to the server and have the moves validated to make sure they work out correctly. This gets more plicated with real-time games, though.

But whatever algorithm you decide to use, it will be defeated. Even the chess validation that I just mentioned could be bypassed: you could just "create" your own valid game of chess and just send the same moves to the server every time, ensuring that the game was valid. (This is assuming that the player is against a puter--having two humans play against each other would make things easier.)

It's no different from any Flash-based game or indeed a game with a downloadable client like World of Warcraft. Anything integral to the game's fairness has to be handled on the server.

One way that HTML5 can be more secure is that you can change it at any time. So let's say you have an AJAX call to provide a user with a reward. You could periodically change the signature of this call, so that 'cheats' would no longer work. Be sure to keep track of players that are still using the old API, and you can penalize the players using the cheats.

No, this won't solve all of your problems, and there are ways the most savvy players will be able to work around this (depending on how elaborate your changes are), but it does provide some way to deal with this, especially if your game requires significant investment. Players may not be willing to risk their progress if they feel like there is a chance they'll be caught. Just make sure you have a clear code of conduct that details punishments for cheating.