What causes a leaderboard that trusts any score the client submits?

The submit endpoint stores whatever score value the client sends, so anyone can POST an arbitrary number directly to the API.

How do I catch this when it only happens for some players?

Capture it automatically from the player's device with the full stack trace, the device and OS, the build, and a breadcrumb trail of what they did. That turns a vague complaint into a specific, reproducible issue you can fix without owning the hardware it happens on.

How to Fix a Leaderboard That Accepts Any Score the Client Posts

Quick answer: Validate every submission server-side: enforce a plausible maximum, rate-limit per account, and for high-value boards require a replay or server-side simulation to confirm the score.

Your high-score endpoint takes a number and writes it to the table. A player opens dev tools or a proxy, posts a gigantic value, and tops the board. The fix is to stop trusting the number and verify it on the server before it counts.

How to fix it

1. Bound and rate-limit submissions

Reject scores above the theoretical maximum for the mode, and rate-limit submissions per account and per IP so scripted spam is throttled.

2. Require a verifiable artifact

For competitive boards, submit the input log or seed needed to reproduce the run, and re-simulate it server-side. Accept the score only if the replay produces it.

3. Sign and timestamp submissions

Attach a server-issued session token to each run so a score cannot be replayed from an old or fabricated session, and reject submissions whose token does not match an active session.

Catching the ones you can't reproduce

The hardest version of this to fix is the one you can't reproduce — it only happens on a player's hardware, OS, driver, or save state, under conditions that simply aren't present on your machine. A report that says “it crashed” or “it froze” gives you nothing to act on, so the bug survives release after release while quietly costing you players.

Automatic error capture closes that gap. Each failure arrives with its full stack trace, the device and OS, the build number, and a breadcrumb trail of what the player did right before it broke, so even a failure you have never seen becomes a specific, reproducible issue. Fold identical failures into one signature ranked by how many players each hits, and your worklist sorts itself worst-first instead of arriving as a stream of vague complaints.

This is where a tool like Bugnet earns its place. Its SDK captures every HTML5 error automatically with the full stack trace plus device, OS, memory, build, and game-state context, folds duplicates into one grouped issue with an occurrence count, and ties each to the build it first appeared on — so you fix the problem that hurts the most players first and confirm it is gone when its signature disappears from the next release.

Ship the fix, watch the signature disappear from the next build. That's how you know it's really gone.