Fun fact: there is a hacking forum that still have failed to create trainers for Curious Expedition due to "weirdly changing memory addresses". I think if they would have realized that it was just a browser game it would have been much easier for them.

I have been thinking about this problem a lot and I may have a solution. Essentially, every time the user loads the page he gets a different obfuscated version of the base game. In this way, no script or plugin can be made to hook to your code since it's different every time the game loads. In addition, you can also obfuscate the protocol (for multiplayer) so that network sniffing tools can't capture the relevant data when communicating with the server. Finally, you can tie an obfuscated version of the game to a particular user, so you can find hackers or make it harder for them to run the game.

Or just run everything on the server (hit detection, positioning, etc) and just use the client for rendering and interpolation.

But that means writing a reasonable server!

Jokes aside, there are some Korean MMOs that rely on excessively trusting the client as a core part of their business model. If you offload as much state as possible to the client your server costs go way down. Maplestory is an example of this: if a player is alone on a map, essentially all map state, physics, etc. is handled purely on the client. When another player enters the map, half of the NPCs get 'handed over' to that player, and the server syncs state between the two clients.

On the other hand, you have to keep in mind hacks like bots and wallhacks. In the case of bots obfuscation is practically your only defense. In the case of wallhacks you can try to keep clients in the dark as much as possible, but there will always be a period where the client knows more than the player should (unless you want enemy players to 'pop in' once they are fully in view).

>If you offload as much state as possible to the client your server costs go way down.

It also makes the game much more fluid without adding a lot of complexity to hide the latency. I think South Korean games can get away with it because they require an SSN to register. If you get caught cheating then making a new account isn't easy.

This is a really interesting idea and something i've been thinking on. Thanks for sharing.

Cheating using modified clients is hardly unique to HTML5 games, and the solution is the same everywhere: move game logic decisions on the server and only have the client predict those decisions while it sends its own choices to the server. The problem with Agar.io etc. is maybe that they don't have a sound multiplayer model designed with cheating in mind, or that the cheats concern things that the server can't control, like client decisions (e.g. aimbot) or client presentation (e.g. wallhack).

Can't all games be hacked/cheated? Clients are inherently untrustworthy...

Yes but very few games bundle tools as good as those in Chrome to help you reverse engineer and manipulate them.

I still haven't figured out a way to disabled `debugger` statements in Web Developer Tools without disabling all breakpoints.

It's a pain when a site has heavily obfuscated code that constantly spawns anonymous functions that look like `function() { debugger; }`.

At a guess you could make a custom build of Chromium with the debugger statement disabled?

On the other hand it's a great platform if you do want to support custom clients. Not all multiplayer games even need PvP.