# Configuration & Whitelisting
***
#### 1. File Location & Editing
* Config file name: **`shared_anticheat_config.lua`**
* Location: inside the `codex_anticheat` resource folder.
* After any change:
* **Restart the resource** or
* **Restart the server** to apply the new settings.
> ⚠️ Always make a backup of the config file before editing it.
***
#### 2. Identity Settings
At the top of the config you’ll see:
Copy
```lua
CodexAC = {
checkmethod = 'steam',
RockstarLicense = false,
DeveloperMode = true,
allowlist = {
'steam:xxxxxxxx',
'steam:xxxxxxxx'
},
...
}
```
**2.1 `checkmethod`**
Copy
```lua
checkmethod = 'steam',
```
Currently used to decide how whitelisting is handled.
* **`'steam'`** – Uses the `allowlist` in this config file.
* **`'SQL'`** – Reserved for future integration with a database (not used in this release).
> ✅ Leave this as `steam` unless Codex explicitly instructs otherwise.
***
**2.2 `RockstarLicense`**
```lua
RockstarLicense = false,
```
Decides which identifier CodexAC uses to recognize players:
* `false` → Uses the **Steam** identifier (e.g. `steam:11000010abcdef`).
* `true` → Uses the **Rockstar license** identifier (e.g. `license:1234abcd...`).
Choose **one** system and stick to it:
* If your staff and tools use Steam IDs → keep `RockstarLicense = false`.
* If you prefer license IDs → set `RockstarLicense = true`.
***
**2.3 `DeveloperMode`**
```lua
DeveloperMode = true,
```
Controls whether **developer-only tools / extra logs** are allowed.
* `true` – Development mode **enabled** Useful on test servers or for developers.
* `false` – Development mode **disabled** Recommended for live production servers.
> 🔒 On live servers you should usually set:
>
> ```lua
> DeveloperMode = false
> ```
***
#### 3. Player Whitelist (DevTools / NUI)
CodexAC can detect players who open **NUI devtools** and automatically kick them unless they are explicitly allowed.
The player whitelist is controlled by:
```lua
allowlist = {
'steam:xxxxxxxx',
'steam:xxxxxxxx'
},
```
These values depend on your `RockstarLicense` choice:
* If `RockstarLicense = false` → use **Steam IDs** in the list.
* If `RockstarLicense = true` → use **license IDs** in the list.
**3.1 How to find a player’s ID**
1. Have the player connect to your server.
2. Use your admin tools (or a separate identifier script) to copy:
* Either their **Steam** identifier (`steam:...`)
* Or their **license** identifier (`license:...`), depending on your setting.
> 💡 Most admin frameworks / logs show identifiers in the server console or in an admin menu.
***
**3.2 How to whitelist a player**
1. Open `shared_anticheat_config.lua`.
2. Go to the `allowlist` section.
3. Add the player’s identifier as a new line:
```lua
allowlist = {
'steam:11000010ABCDEF1', -- Owner
'steam:11000010ABCDEFA', -- Admin 1
'steam:11000010ABCDEFB', -- Admin 2
},
```
Or with licenses if `RockstarLicense = true`:
```lua
allowlist = {
'license:1234567890abcdef1234567890abcdef12345678',
'license:abcdef1234567890abcdef1234567890abcdef12',
},
```
4. Save the file.
5. Restart `codex_anticheat` or restart the server.
**3.3 What the whitelist does**
* Players in `allowlist`:
* Are **allowed** to open devtools / NUI debug without being kicked by CodexAC.
* Players **not** in `allowlist`:
* If they attempt to open devtools, CodexAC **logs** the event and **kicks** them (depending on settings).
> ✅ Use this whitelist only for **trusted staff or developers**. Never whitelist regular players.
***
#### 4. Feature Toggles
In the config you’ll see a **Features** section:
```lua
------ Features ----
AntiAimbot = true,
TrackPlayerAccuracy = true,
AntiGodMode = true,
HealReviveChecker = true,
EnableNameTags = false, --- do not enable this !
RaycastChecker = true,
AntiPlayerTeleport = true,
TamperDetection = true,
AntiResourceInjection = true,
AntiEntities = true,
DisableNatives = true,
Antiscaleoverride = true,
AntiCheatDropPlayer = true,
```
Each option can be `true` (enabled) or `false` (disabled).
**Summary of features:**
* `AntiAimbot` – Detects aimbot-like behavior.
* `TrackPlayerAccuracy` – Tracks hit/miss accuracy to detect suspicious patterns.
* `AntiGodMode` – Detects players who don’t take damage.
* `HealReviveChecker` – Detects abnormal heals/revives.
* `EnableNameTags` – Extra nametags feature; comment says **“do not enable this!”** – keep `false`.
* `RaycastChecker` – Checks if shots/hits are physically possible.
* `AntiPlayerTeleport` – Detects unnatural teleports.
* `TamperDetection` – Detects attempts to modify the anticheat itself.
* `AntiResourceInjection` – Detects unauthorized running resources (see section 5).
* `AntiEntities` – Limits and checks entity spawns (see section 7).
* `DisableNatives` – Blocks known dangerous natives from running on the client.
* `Antiscaleoverride` – Prevents abnormal player size scaling.
* `AntiCheatDropPlayer` – When `true`, CodexAC will **drop/kick** players on serious detections. Set to `false` if you only want **logging** without auto-kicks.
> 🛡️ Recommended for live servers: Keep all detection features enabled unless you know exactly why you’re turning one off.
***
#### 5. Resource Whitelist (Anti Resource Injection)
CodexAC includes a **resource whitelist** to detect unauthorized or injected resources running on the client.
In the config:
```lua
whitelistResource = {
-- Base RedM Resources
["mapmanager"] = true,
["chat"] = true,
["spawnmanager"] = true,
...
["codex_anticheat"] = true,
-- many more...
},
```
This list contains **all resources that are allowed** to run on the client.
**5.1 When is this used?**
If a resource is detected on the client that is **not** listed in `whitelistResource`:
* CodexAC treats it as **unauthorized** (potential injected menu/cheat).
* It logs the issue and, if `AntiCheatDropPlayer = true`, can **kick** the player.
**5.2 How to whitelist a new resource**
When you install a new resource/script on your server:
1. Note the **resource folder name** (e.g. folder `my_cool_resource` → name is `my_cool_resource`).
2. Open `shared_anticheat_config.lua`.
3. Find the `whitelistResource` table.
4. Add your resource:
Copy
```
whitelistResource = {
...
["my_cool_resource"] = true,
},
```
5. Save the file.
6. Restart `codex_anticheat` or the server.
> ⚠️ If you forget to add a new legitimate resource to `whitelistResource`, players may be flagged or kicked when that resource runs.
***
#### 6. Scale Limits (`LimitsScale`)
CodexAC can detect abnormal player size changes (e.g. making your character huge or tiny).
```lua
LimitsScale = {
MinSize = 0.37,
MaxSize = 4.08 -- adjust depending on what sizes are normal in your server
},
```
* `MinSize` – Smallest allowed scale.
* `MaxSize` – Largest allowed scale.
If `Antiscaleoverride = true`, any player going outside this range will be flagged.
> 💡 On vanilla servers you usually don’t need to change these. If you have scripts that **legitimately** change player scale, adjust the limits to include your normal range.
***
#### 7. Command & Event Bait + Event Rate Limits
**7.1 Blacklisted / bait commands**
```lua
blacklistedCommands = {
"bomb",
"test:aimbot",
"kms",
"test:exp"
},
baitEvents = {
"giveweapon",
"addmoney",
"setadmin",
"reviveall",
"spawnhorse"
},
```
* `blacklistedCommands` – If a player tries to run one of these commands, CodexAC treats it as suspicious.
* `baitEvents` – Events that **should never** be triggered by legit gameplay. Cheats trying these will be caught.
You can:
* **Add** events / commands commonly used by menus/cheats.
* **Remove** entries only if you know a legitimate script uses them.
***
**7.2 Event spam limits**
```lua
EventLimit = 25, -- Max events in 5 seconds
EventWindow = 5, -- Time window in seconds
```
* `EventLimit` – Maximum number of certain events a player can trigger in `EventWindow` seconds.
* `EventWindow` – Time frame (in seconds) for that limit.
If a player triggers events too quickly (e.g. spammy cheat), CodexAC can flag them.
> ✅ For most servers, default values are fine. Only lower them if you want stricter rate limiting and have tested that your scripts don’t spam events legitimately.
***
#### 8. Entity Limits (`Limits`)
CodexAC also controls entity spam — like spawning too many peds, animals, or objects.
```lua
Limits = {
Ped = 20,
Animal = 10,
Object = 15,
SpawnRateLimit = 5, -- max spawns in X seconds
RateLimitWindow = 10 -- seconds
},
```
* `Ped` – Max number of player-controlled peds allowed.
* `Animal` – Max animals per player.
* `Object` – Max objects per player.
* `SpawnRateLimit` – Max new entities a player can spawn within `RateLimitWindow`.
* `RateLimitWindow` – Time window for spawn limit (in seconds).
If `AntiEntities = true`, going over these limits is treated as suspicious.
> ⚙️ Increase these values **only** if your server legitimately spawns more entities per player (for example, very busy custom jobs or events).
***
#### 9. Blacklisted Models (`BlacklistModels`)
At the bottom of the config:
```lua
BlacklistModels = {
-- Legendary animals
[`A_C_LegendaryBear`] = true,
[`A_C_LegendaryPanther`] = true,
[`A_C_LegendaryAlligator`] = true,
-- Troll props
[`p_treestump01x`] = true,
[`p_cabinwardrobebroken01x`] = true,
[`mp005_s_rhodeschurchgrave01x`] = true,
[`mp005_s_railtrack01x`] = true,
}
```
Any model listed here:
* When spawned by a player, is treated as **forbidden**.
* The entity can be deleted and the player flagged/kicked (depending on settings).
You can customize this list to:
* Add models that are **commonly abused** on your server.
* Remove models **only if** a legitimate script needs them.
> ⚠️ Be careful removing entries – many of these are specifically chosen because they’re typically used for trolling or crashing.
***
#### 10. Recommended Live-Server Settings
For a typical live RP / PvP server:
```lua
checkmethod = 'steam',
RockstarLicense = false, -- or true if you prefer license IDs
DeveloperMode = false,
AntiAimbot = true,
TrackPlayerAccuracy= true,
AntiGodMode = true,
HealReviveChecker = true,
EnableNameTags = false,
RaycastChecker = true,
AntiPlayerTeleport = true,
TamperDetection = true,
AntiResourceInjection = true,
AntiEntities = true,
DisableNatives = true,
Antiscaleoverride = true,
AntiCheatDropPlayer= true, -- enable auto-kicks
-- Keep Limits, EventLimit, EventWindow, LimitsScale, BlacklistModels
-- at default unless you know what you are changing.
```
And:
* Add your **staff / devs** to `allowlist`.
* Add any **custom resources** you install to `whitelistResource`.