I'm looking to create a javascript based game that contains a leaderboard system to allow users to compete against other players.

I'm concerned that it might be too easy for players to cheat. Given the game will be rendered in the browser, then at some point we will need to send a message to the server with the players score - how can we prevent the user from faking the message to the back end? I thought about encrypting it, but then wouldn't the encryption key be visible in the source code, thereby allowing the user to encrypt a fake message too?

The safest way to do this, is to have the game rules on the server. You read input from the client, you render on the client, but the simulation that matters is on the server.

(For action games, you may need to ALSO run the simulation on the client, and then fix it up if the server tells the client that the outcome was different than what the client simulated.)

If that's not doable for you, then you can also send a stream of moves/actions for the game to the server as they happen, perhaps with incremental scores, and when the game finishes, if the player got a significantly high score, OR randomly once in a while, play back the recorded game on the server, and verify that the output was as stated.

The third option is to realize that this game isn't all that important in the world, a cheater is unlikely to actually show up for a while, and maybe it's OK with a leaderboard that's easy-ish to cheat. You could at least make the key be different per player (assuming you have player registration,) so that the same player cheat code that works for player A, works for player B without some changes. That might cut down on the cheesiest and simplest scripts. But probably not.

Thanks for the reply hplus0603.

Unfortunately it will matter if someone cheats, as it might (hopefully) be a high profile game that will attract a lot of attention, and offer prizes for the top player each week, so there is certainly an incentive for people to cheat.

Option 2 I considered, but again i think that might be open to cheating, as the user could just write a program to quickly send a stream of commands simulating the gameplay.

Option 1 seems the only feasible option to stop someone cheating, as I suspected, as long as the logic is client side its open to manipulation. Unfortunately i dont think its feasible to have the logic server side in this case.

Option 2 is totally possible, you can use many different mechanisms to detect bots. The most obvious one is recording arrival time for each message for a particular game instance, and checking for patterns there, but the playbook for cheater detection/ban based on analytics goes very deep.

The main trick is to not ban the bot users right away, instead “score” each user, and every once in a while, mass ban the bot users, and remove their leaderboard entries. If you pay weekly prizes, then doing this right before the conclusion of each week might be the right cadence.

Also, if you say that it will be high profile and pay prizes, then you should have enough resources available to enforce things server side. If you want specific pointers on how it might be done, you'll have to share a little more details about what the gameplay really is and what the interesting decisions and skill challenges are.