Configuration & Whitelisting

This page explains how to configure CodexAC using the shared configuration file. All anticheat behavior is controlled from shared_anticheat_config.lua — you do not need to edit any other scripts.

---

1. File Location & Editing

• Config file name: shared_anticheat_config.lua

• Location: inside the codex_anticheat resource folder.

• After any change:

  • Restart the resource or

  • Restart the server to apply the new settings.

⚠️ Always make a backup of the config file before editing it.

---

2. Identity Settings

At the top of the config you’ll see:

CodexAC = {

    checkmethod = 'steam',
    RockstarLicense = false,
    DeveloperMode = true,
    
    allowlist = {
        'steam:xxxxxxxx',
        'steam:xxxxxxxx'
    },
    
    ...
}

2.1 checkmethod

checkmethod = 'steam',

Currently used to decide how whitelisting is handled.

• 'steam' – Uses the allowlist in this config file.

• 'SQL' – Reserved for future integration with a database (not used in this release).

✅ Leave this as steam unless Codex explicitly instructs otherwise.

---

2.2 RockstarLicense

RockstarLicense = false,

Decides which identifier CodexAC uses to recognize players:

• false → Uses the Steam identifier (e.g. steam:11000010abcdef).

• true → Uses the Rockstar license identifier (e.g. license:1234abcd...).

Choose one system and stick to it:

• If your staff and tools use Steam IDs → keep RockstarLicense = false.

• If you prefer license IDs → set RockstarLicense = true.

---

2.3 DeveloperMode

DeveloperMode = true,

Controls whether developer-only tools / extra logs are allowed.

• true – Development mode enabled Useful on test servers or for developers.

• false – Development mode disabled Recommended for live production servers.

🔒 On live servers you should usually set:

DeveloperMode = false

---

3. Player Whitelist (DevTools / NUI)

CodexAC can detect players who open NUI devtools and automatically kick them unless they are explicitly allowed.

The player whitelist is controlled by:

allowlist = {
    'steam:xxxxxxxx',
    'steam:xxxxxxxx'
},

These values depend on your RockstarLicense choice:

• If RockstarLicense = false → use Steam IDs in the list.

• If RockstarLicense = true → use license IDs in the list.

3.1 How to find a player’s ID

1. Have the player connect to your server.

2. Use your admin tools (or a separate identifier script) to copy:

   • Either their Steam identifier (steam:...)

   • Or their license identifier (license:...), depending on your setting.

💡 Most admin frameworks / logs show identifiers in the server console or in an admin menu.

---

3.2 How to whitelist a player

1. Open shared_anticheat_config.lua.

2. Go to the allowlist section.

3. Add the player’s identifier as a new line:

   allowlist = {
       'steam:11000010ABCDEF1', -- Owner
       'steam:11000010ABCDEFA', -- Admin 1
       'steam:11000010ABCDEFB', -- Admin 2
   },

   Or with licenses if RockstarLicense = true:

   allowlist = {
       'license:1234567890abcdef1234567890abcdef12345678',
       'license:abcdef1234567890abcdef1234567890abcdef12',
   },

4. Save the file.

5. Restart codex_anticheat or restart the server.

3.3 What the whitelist does

• Players in allowlist:

  • Are allowed to open devtools / NUI debug without being kicked by CodexAC.

• Players not in allowlist:

  • If they attempt to open devtools, CodexAC logs the event and kicks them (depending on settings).

✅ Use this whitelist only for trusted staff or developers. Never whitelist regular players.

---

4. Feature Toggles

In the config you’ll see a Features section:

------ Features ----
AntiAimbot            = true,
TrackPlayerAccuracy   = true,
AntiGodMode           = true,
HealReviveChecker     = true,
EnableNameTags        = false, --- do not enable this !
RaycastChecker        = true,
AntiPlayerTeleport    = true,
TamperDetection       = true,
AntiResourceInjection = true,
AntiEntities          = true,
DisableNatives        = true,
Antiscaleoverride     = true,
AntiCheatDropPlayer   = true,

Each option can be true (enabled) or false (disabled).

Summary of features:

• AntiAimbot – Detects aimbot-like behavior.

• TrackPlayerAccuracy – Tracks hit/miss accuracy to detect suspicious patterns.

• AntiGodMode – Detects players who don’t take damage.

• HealReviveChecker – Detects abnormal heals/revives.

• EnableNameTags – Extra nametags feature; comment says “do not enable this!” – keep false.

• RaycastChecker – Checks if shots/hits are physically possible.

• AntiPlayerTeleport – Detects unnatural teleports.

• TamperDetection – Detects attempts to modify the anticheat itself.

• AntiResourceInjection – Detects unauthorized running resources (see section 5).

• AntiEntities – Limits and checks entity spawns (see section 7).

• DisableNatives – Blocks known dangerous natives from running on the client.

• Antiscaleoverride – Prevents abnormal player size scaling.

• AntiCheatDropPlayer – When true, CodexAC will drop/kick players on serious detections. Set to false if you only want logging without auto-kicks.

🛡️ Recommended for live servers: Keep all detection features enabled unless you know exactly why you’re turning one off.

---

5. Resource Whitelist (Anti Resource Injection)

CodexAC includes a resource whitelist to detect unauthorized or injected resources running on the client.

In the config:

whitelistResource = {
    -- Base RedM Resources
    ["mapmanager"] = true,
    ["chat"]       = true,
    ["spawnmanager"] = true,
    ...
    ["codex_anticheat"] = true,
    -- many more...
},

This list contains all resources that are allowed to run on the client.

5.1 When is this used?

If a resource is detected on the client that is not listed in whitelistResource:

• CodexAC treats it as unauthorized (potential injected menu/cheat).

• It logs the issue and, if AntiCheatDropPlayer = true, can kick the player.

5.2 How to whitelist a new resource

When you install a new resource/script on your server:

1. Note the resource folder name (e.g. folder my_cool_resource → name is my_cool_resource).

2. Open shared_anticheat_config.lua.

3. Find the whitelistResource table.

4. Add your resource:

   whitelistResource = {
       ...
       ["my_cool_resource"] = true,
   },

5. Save the file.

6. Restart codex_anticheat or the server.

⚠️ If you forget to add a new legitimate resource to whitelistResource, players may be flagged or kicked when that resource runs.

---

6. Scale Limits (LimitsScale)

CodexAC can detect abnormal player size changes (e.g. making your character huge or tiny).

LimitsScale = {
    MinSize = 0.37,
    MaxSize = 4.08 -- adjust depending on what sizes are normal in your server
},

• MinSize – Smallest allowed scale.

• MaxSize – Largest allowed scale.

If Antiscaleoverride = true, any player going outside this range will be flagged.

💡 On vanilla servers you usually don’t need to change these. If you have scripts that legitimately change player scale, adjust the limits to include your normal range.

---

7. Command & Event Bait + Event Rate Limits

7.1 Blacklisted / bait commands

blacklistedCommands = {
    "bomb",
    "test:aimbot",
    "kms",
    "test:exp"
},

baitEvents = {
    "giveweapon",
    "addmoney",
    "setadmin",
    "reviveall",
    "spawnhorse"
},

• blacklistedCommands – If a player tries to run one of these commands, CodexAC treats it as suspicious.

• baitEvents – Events that should never be triggered by legit gameplay. Cheats trying these will be caught.

You can:

• Add events / commands commonly used by menus/cheats.

• Remove entries only if you know a legitimate script uses them.

---

7.2 Event spam limits

EventLimit  = 25, -- Max events in 5 seconds
EventWindow = 5,  -- Time window in seconds

• EventLimit – Maximum number of certain events a player can trigger in EventWindow seconds.

• EventWindow – Time frame (in seconds) for that limit.

If a player triggers events too quickly (e.g. spammy cheat), CodexAC can flag them.

✅ For most servers, default values are fine. Only lower them if you want stricter rate limiting and have tested that your scripts don’t spam events legitimately.

---

8. Entity Limits (Limits)

CodexAC also controls entity spam — like spawning too many peds, animals, or objects.

Limits = {
    Ped            = 20,
    Animal         = 10,
    Object         = 15,
    SpawnRateLimit = 5,  -- max spawns in X seconds
    RateLimitWindow = 10 -- seconds
},

• Ped – Max number of player-controlled peds allowed.

• Animal – Max animals per player.

• Object – Max objects per player.

• SpawnRateLimit – Max new entities a player can spawn within RateLimitWindow.

• RateLimitWindow – Time window for spawn limit (in seconds).

If AntiEntities = true, going over these limits is treated as suspicious.

⚙️ Increase these values only if your server legitimately spawns more entities per player (for example, very busy custom jobs or events).

---

9. Blacklisted Models (BlacklistModels)

At the bottom of the config:

BlacklistModels = {
    -- Legendary animals
    [`A_C_LegendaryBear`]      = true,
    [`A_C_LegendaryPanther`]   = true,
    [`A_C_LegendaryAlligator`] = true,
    -- Troll props
    [`p_treestump01x`]               = true,
    [`p_cabinwardrobebroken01x`]     = true,
    [`mp005_s_rhodeschurchgrave01x`] = true,
    [`mp005_s_railtrack01x`]         = true,
}

Any model listed here:

• When spawned by a player, is treated as forbidden.

• The entity can be deleted and the player flagged/kicked (depending on settings).

You can customize this list to:

• Add models that are commonly abused on your server.

• Remove models only if a legitimate script needs them.

⚠️ Be careful removing entries – many of these are specifically chosen because they’re typically used for trolling or crashing.

---

10. Recommended Live-Server Settings

For a typical live RP / PvP server:

checkmethod        = 'steam',
RockstarLicense    = false,     -- or true if you prefer license IDs
DeveloperMode      = false,

AntiAimbot         = true,
TrackPlayerAccuracy= true,
AntiGodMode        = true,
HealReviveChecker  = true,
EnableNameTags     = false,
RaycastChecker     = true,
AntiPlayerTeleport = true,
TamperDetection    = true,
AntiResourceInjection = true,
AntiEntities       = true,
DisableNatives     = true,
Antiscaleoverride  = true,
AntiCheatDropPlayer= true,      -- enable auto-kicks

-- Keep Limits, EventLimit, EventWindow, LimitsScale, BlacklistModels
-- at default unless you know what you are changing.

And:

• Add your staff / devs to allowlist.

• Add any custom resources you install to whitelistResource.