Hello, GameDev.net!

I've begun fiddling with Unity networking in Unity 5.4 (I believe the current Unity networking API's shorthand is UNET). Here is some background info on the project I have in mind:

• A 2-player, turn-based collectible card-style game. Not projected to generate a lot of network traffic or require heavy processing (just synchronizing game board states, etc)
• A dedicated server box will run multiple Unity server processes on different ports. Each process instance should be able to handle 2 clients.
• The same or a separate box will host a web interface (for the Unity clients) to handle logging in and out of user accounts & client matchmaking. Clients will first ask the matchmaker which port to connect to for each match. Then the clients will connect to that port on the game server and commence gameplay.

I'm looking for feedback and tips for building this system properly and keeping it secure. Especially:

1. How do I make messages to/from the web interface secure? I don't want clients to be able to hack into another game instance on another port or do other nasty things. Is there a way to guarantee that messages intended for a web app come from a specific program (the Unity client)?
2. When actually working with UNET, what practices can be performed to make hacking the game / cheating more difficult? Because this is a turn-based game, I'm currently striving for a very strict server-authoritative model (players don't have local authority; they just send commands to the server). Will this be enough?
3. What other miscellaneous best practices should I know about concerning UNET?
4. What is the most secure way to synchronize complex data structures like Dictionaries? I feel like calling add/remove Rpcs on server data change leave room for hackers to inject something into the dictionary and send bad commands to the server (breaking the game). Let me know if this is a stretch.

Thanks for any advice!

When a game opens a port, you're typically responcible for it. At the same time, the operating system does try it's hardest to prevent a user from gaining improper access to the OS's subroutines and file structures.

But... this doesn't always work as apparently Street Fighter had opened people up to hacking some how.

But I should also note that you can't fully protect your user from hackers. Only make it harder.

You can try doing validation. Using the Bluetooth style of doing things. Bluetooth constantly changes its signal between the devices which makes it borderline impossible to hack without having the key origionaly.

For networking, you can use an SSL encryption with the same effect. Once the connection is established. You play a game of telephone and alternate turns for which computer is generating a password. Once a new password is generated, you send the data to the PC, let it decrypt, read, write new data, and encrypt using the sent password and toss it that out while a new one is generated and sent to the client.