Implement server-side checks first, then implement client-side checks only if you have to, and only if there’s still exploiters. You want these to be your first line of defense because there’s no way around them! These fall under the categories of “validity checking” and “sanity checking”. Server-side checks can never be disabled. You do not want these to be your first line of defense! These fall under the categories of “obscurity” and “obfuscation”. Client-side (LocalScript) checks can always be disabled.