I'm building a server-side API and client-side library for a JavaScript-based game where two very important features must be secured.
Solving the first problem seems simple; at the beginning of each play we hit the API, debit the user's account and return a unique Play ID. When we submit the user's score for that play, we pass the ID issued at the beginning.
The second one has me a little stumped. Initially I considered a client-side hashing algorithm based on the ID and the score, but quickly realized that the Javascript that produces the hash could easily be reverse-engineered, even if it was obfuscated. At this point I considered a small flash component that generates the hash, but I've heard that even compiled flash can be decompiled.
For added context, I plan to build the server side API in Ruby.
I'd love to hear any suggestions the clever programmers of Stack Overflow have to offer. Thanks for your time!
Edit: The answer by Homer6 below is a very good solution for more sophisticated games, but unfortunately the simplicity of this game doesn't merit a method like that. It's a very short-play time based game, so the score is just the time it takes you to complete a level.
As a rule of thumb just assume that anything in the client side can be faked.