GDScript Security

GDScript security practices for input validation, save data integrity, and network safety

GDScript

Security

Use in Builder All GDScript Options

Details

Language / Topic

GDScript

Rules

GDScript Security · balanced balanced

- Never use `str_to_var()` on untrusted data — it deserializes arbitrary Godot types and can execute code paths not intended for external input.

- Validate all save file data loaded with `FileAccess` or `ConfigFile` before applying it to game state — corrupted or tampered saves should not crash or exploit the game.

- Use `ResourceLoader.load()` with explicit type hints and validate the returned resource type before casting.

- Sanitize player-provided input strings (chat, usernames) before displaying them — even in local multiplayer, malformed Unicode can cause rendering issues.

- When using Godot's `ENetMultiplayerPeer` or `WebSocketMultiplayerPeer`, validate all received RPC arguments server-side — clients can send arbitrary data.

- Store sensitive configuration (API keys for online features) outside the exported PCK using `OS.get_environment()` or a server-side proxy — keys inside PCK files are extractable.

- Use `@rpc(authority)` or `@rpc(call_local = false)` decorators appropriately — never expose server-authoritative RPCs to client call authority.