Is there a way to stop end-user tampering with JavaScript game code in my page? [duplicate]

Question

I am thinking of creating a HTML5 game. I understand that it's probable that no one will try to cheat, but I want to make sure (and am interested to see if there are any good techniques).

I understand the advantages of having open source software, and would want my code to be read and stuff. However, in a game type situation, where the user's score would be sent to the server to be stored, I can see a problem in that the user can open their devtools (F12 in most browsers) and modify the script or the values in variables to give themselves a higher score or a hundred lives. I don't care if people do this, but I don't want their scores to be stored.

Case Study: Candy Box 2 (candybox2.net) took me less than 20 seconds to get 100000000 candies.

Is there any way to stop this from happening?

Answer 1

The surest way to stop this from happening is to run all the business logic server-side, only accepting commands from the browser. If the key variables are not resident in the browser (or the copy in the browser is a cached copy and never accepted as authoritative) then client-side manipulation is unable to do anything except perhaps automating UI actions.

If the client code has to be made tamper-resistant, you've already lost; that way lies PunkBuster, Valve Anti-Cheat, and other mechanisms that generally require the user to let you permanently install a rootkit on his machine so you can satisfy yourself by inspection that he's not cheating.

For some projects I've been working on recently using ASP.Net as a back-end, I've found SignalR to be a very efficient Comet-type communications layer for JavaScript and dynamic HTML, even taking advantage of HTML 5 WebSocket support if available.