diff --git a/NorthstarDedicatedTest/NorthstarDedicatedTest.vcxproj b/NorthstarDedicatedTest/NorthstarDedicatedTest.vcxproj
index 0857c2db..10f6cef4 100644
--- a/NorthstarDedicatedTest/NorthstarDedicatedTest.vcxproj
+++ b/NorthstarDedicatedTest/NorthstarDedicatedTest.vcxproj
@@ -175,6 +175,7 @@
     <ClInclude Include="context.h" />
     <ClInclude Include="convar.h" />
     <ClInclude Include="dedicated.h" />
+    <ClInclude Include="dedicatedmaterialsystem.h" />
     <ClInclude Include="filesystem.h" />
     <ClInclude Include="gameutils.h" />
     <ClInclude Include="hooks.h" />
@@ -314,6 +315,7 @@
     <ClInclude Include="modmanager.h" />
     <ClInclude Include="pch.h" />
     <ClInclude Include="playlist.h" />
+    <ClInclude Include="securitypatches.h" />
     <ClInclude Include="scriptmodmenu.h" />
     <ClInclude Include="scriptserverbrowser.h" />
     <ClInclude Include="scriptsrson.h" />
@@ -330,6 +332,7 @@
     <ClCompile Include="context.cpp" />
     <ClCompile Include="convar.cpp" />
     <ClCompile Include="dedicated.cpp" />
+    <ClCompile Include="dedicatedmaterialsystem.cpp" />
     <ClCompile Include="dllmain.cpp" />
     <ClCompile Include="filesystem.cpp" />
     <ClCompile Include="gameutils.cpp" />
@@ -347,6 +350,7 @@
       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
     </ClCompile>
     <ClCompile Include="playlist.cpp" />
+    <ClCompile Include="securitypatches.cpp" />
     <ClCompile Include="scriptmodmenu.cpp" />
     <ClCompile Include="scriptserverbrowser.cpp" />
     <ClCompile Include="scriptsrson.cpp" />
diff --git a/NorthstarDedicatedTest/NorthstarDedicatedTest.vcxproj.filters b/NorthstarDedicatedTest/NorthstarDedicatedTest.vcxproj.filters
index 4ed01144..524fa2e7 100644
--- a/NorthstarDedicatedTest/NorthstarDedicatedTest.vcxproj.filters
+++ b/NorthstarDedicatedTest/NorthstarDedicatedTest.vcxproj.filters
@@ -567,6 +567,12 @@
     <ClInclude Include="playlist.h">
       <Filter>Header Files\Server</Filter>
     </ClInclude>
+    <ClInclude Include="securitypatches.h">
+      <Filter>Header Files\Client</Filter>
+    </ClInclude>
+    <ClInclude Include="dedicatedmaterialsystem.h">
+      <Filter>Header Files\Dedicated</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="dllmain.cpp">
@@ -647,6 +653,12 @@
     <ClCompile Include="playlist.cpp">
       <Filter>Source Files\Server</Filter>
     </ClCompile>
+    <ClCompile Include="securitypatches.cpp">
+      <Filter>Source Files\Client</Filter>
+    </ClCompile>
+    <ClCompile Include="dedicatedmaterialsystem.cpp">
+      <Filter>Source Files\Dedicated</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <None Include="include\spdlog\fmt\bundled\LICENSE.rst">
diff --git a/NorthstarDedicatedTest/dedicated.cpp b/NorthstarDedicatedTest/dedicated.cpp
index 8d7a6f8c..089ca467 100644
--- a/NorthstarDedicatedTest/dedicated.cpp
+++ b/NorthstarDedicatedTest/dedicated.cpp
@@ -233,21 +233,6 @@ void InitialiseDedicated(HMODULE engineAddress)
 	// also look into materialsystem + 5B344 since it seems to be the base of all the renderthread stuff
 }
 
-void InitialiseDedicatedMaterialSystem(HMODULE baseAddress)
-{
-	{
-		// CMaterialSystem::FindMaterial
-		char* ptr = (char*)baseAddress + 0x5F0F1;
-		TempReadWrite rw(ptr);
-
-		// make the game use the error material
-		*ptr = 0xE9;
-		*(ptr + 1) = (char)0x34;
-		*(ptr + 2) = (char)0x03;
-		*(ptr + 3) = (char)0x00;
-	}
-}
-
 void Sys_Printf(CDedicatedExports* dedicated, char* msg)
 {
 	spdlog::info("[DEDICATED PRINT] {}", msg);
diff --git a/NorthstarDedicatedTest/dedicated.h b/NorthstarDedicatedTest/dedicated.h
index 18213123..ed2ae09e 100644
--- a/NorthstarDedicatedTest/dedicated.h
+++ b/NorthstarDedicatedTest/dedicated.h
@@ -27,4 +27,3 @@ struct CDedicatedExports
 // hooking stuff
 extern bool bDedicatedHooksInitialised;
 void InitialiseDedicated(HMODULE moduleAddress);
-void InitialiseDedicatedMaterialSystem(HMODULE baseAddress);
diff --git a/NorthstarDedicatedTest/dedicatedmaterialsystem.cpp b/NorthstarDedicatedTest/dedicatedmaterialsystem.cpp
new file mode 100644
index 00000000..93e0a0eb
--- /dev/null
+++ b/NorthstarDedicatedTest/dedicatedmaterialsystem.cpp
@@ -0,0 +1,19 @@
+#pragma once
+#include "pch.h"
+#include "dedicatedmaterialsystem.h"
+#include "hookutils.h"
+
+void InitialiseDedicatedMaterialSystem(HMODULE baseAddress)
+{
+	{
+		// CMaterialSystem::FindMaterial
+		char* ptr = (char*)baseAddress + 0x5F0F1;
+		TempReadWrite rw(ptr);
+
+		// make the game use the error material
+		*ptr = 0xE9;
+		*(ptr + 1) = (char)0x34;
+		*(ptr + 2) = (char)0x03;
+		*(ptr + 3) = (char)0x00;
+	}
+}
\ No newline at end of file
diff --git a/NorthstarDedicatedTest/dedicatedmaterialsystem.h b/NorthstarDedicatedTest/dedicatedmaterialsystem.h
new file mode 100644
index 00000000..284444e6
--- /dev/null
+++ b/NorthstarDedicatedTest/dedicatedmaterialsystem.h
@@ -0,0 +1,2 @@
+#pragma once
+void InitialiseDedicatedMaterialSystem(HMODULE baseAddress);
\ No newline at end of file
diff --git a/NorthstarDedicatedTest/dllmain.cpp b/NorthstarDedicatedTest/dllmain.cpp
index 3439c6ce..0a5eb388 100644
--- a/NorthstarDedicatedTest/dllmain.cpp
+++ b/NorthstarDedicatedTest/dllmain.cpp
@@ -3,6 +3,7 @@
 #include "main.h"
 #include "squirrel.h"
 #include "dedicated.h"
+#include "dedicatedmaterialsystem.h"
 #include "sourceconsole.h"
 #include "logging.h"
 #include "concommand.h"
@@ -17,6 +18,7 @@
 #include "chatcommand.h"
 #include "modlocalisation.h"
 #include "playlist.h"
+#include "securitypatches.h"
 
 bool initialised = false;
 
@@ -63,6 +65,7 @@ void InitialiseNorthstar()
 
     if (!IsDedicated())
     {
+        AddDllLoadCallback("engine.dll", InitialiseClientEngineSecurityPatches);
         AddDllLoadCallback("client.dll", InitialiseClientSquirrel);
         AddDllLoadCallback("client.dll", InitialiseSourceConsole);
         AddDllLoadCallback("engine.dll", InitialiseChatCommands);
diff --git a/NorthstarDedicatedTest/masterserver.cpp b/NorthstarDedicatedTest/masterserver.cpp
index aecf2f1a..d82be8f0 100644
--- a/NorthstarDedicatedTest/masterserver.cpp
+++ b/NorthstarDedicatedTest/masterserver.cpp
@@ -358,7 +358,12 @@ void MasterServerManager::AddSelfToServerList(int port, int authPort, char* name
 		return;
 
 	if (!Cvar_ns_report_sp_server_to_masterserver->m_nValue && !strncmp(map, "sp_", 3))
+	{
+		m_bRequireClientAuth = false;
 		return;
+	}
+
+	m_bRequireClientAuth = true;
 
 	std::thread requestThread([this, port, authPort, name, description, map, playlist, maxPlayers, password] {
 			httplib::Client http(Cvar_ns_masterserver_hostname->m_pszString, Cvar_ns_masterserver_port->m_nValue);
diff --git a/NorthstarDedicatedTest/masterserver.h b/NorthstarDedicatedTest/masterserver.h
index ca2df356..a5fba5aa 100644
--- a/NorthstarDedicatedTest/masterserver.h
+++ b/NorthstarDedicatedTest/masterserver.h
@@ -38,6 +38,7 @@ private:
 	bool m_requestingServerList = false;
 	bool m_authenticatingWithGameServer = false;
 	bool m_savingPersistentData = false;
+	bool m_bRequireClientAuth = false;
 
 public:
 	char m_ownServerId[33];
diff --git a/NorthstarDedicatedTest/securitypatches.cpp b/NorthstarDedicatedTest/securitypatches.cpp
new file mode 100644
index 00000000..23c96520
--- /dev/null
+++ b/NorthstarDedicatedTest/securitypatches.cpp
@@ -0,0 +1,51 @@
+#include "pch.h"
+#include "securitypatches.h"
+#include "hookutils.h"
+#include "concommand.h"
+
+typedef bool(*IsValveModType)();
+IsValveModType IsValveMod;
+
+bool IsValveModHook()
+{
+	// basically: by default r2 isn't set as a valve mod, meaning that m_bRestrictServerCommands is false
+	// this is HORRIBLE for security, because it means servers can run arbitrary concommands on clients
+	// especially since we have script commands this could theoretically be awful
+
+	// todo: possibly have a commandline arg to disable this
+	return true;
+}
+
+void InitialiseClientEngineSecurityPatches(HMODULE baseAddress)
+{
+	HookEnabler hook;
+
+	// note: this could break some things
+	ENABLER_CREATEHOOK(hook, (char*)baseAddress + 0x1C6360, &IsValveModHook, reinterpret_cast<LPVOID*>(&IsValveMod));
+	
+	// patches to make commands run from client/ui script still work
+	{
+		void* ptr = (char*)baseAddress + 0x4FB65;
+		TempReadWrite rw(ptr);
+
+		*((char*)ptr) = (char)0xEB;
+		*((char*)ptr + 1) = (char)0x11;
+	}
+
+	{
+		void* ptr = (char*)baseAddress + 0x4FBAC;
+		TempReadWrite rw(ptr);
+
+		*((char*)ptr) = (char)0xEB;
+		*((char*)ptr + 1) = (char)0x16;
+	}
+
+	// byte patches to patch concommands that this messes up that we need
+	{
+		// disconnect concommand
+		void* ptr = (char*)baseAddress + 0x5ADA2D;
+		TempReadWrite rw(ptr);
+	
+		*((int*)ptr) |= FCVAR_SERVER_CAN_EXECUTE;
+	}
+}
\ No newline at end of file
diff --git a/NorthstarDedicatedTest/securitypatches.h b/NorthstarDedicatedTest/securitypatches.h
new file mode 100644
index 00000000..063df46e
--- /dev/null
+++ b/NorthstarDedicatedTest/securitypatches.h
@@ -0,0 +1,2 @@
+#pragma once
+void InitialiseClientEngineSecurityPatches(HMODULE baseAddress);
\ No newline at end of file
diff --git a/NorthstarDedicatedTest/serverauthentication.cpp b/NorthstarDedicatedTest/serverauthentication.cpp
index 77990d24..ea9c4054 100644
--- a/NorthstarDedicatedTest/serverauthentication.cpp
+++ b/NorthstarDedicatedTest/serverauthentication.cpp
@@ -329,8 +329,6 @@ void InitialiseServerAuthentication(HMODULE baseAddress)
 		*((char*)ptr) = (char)0xE9; // jz => jmp
 		*((char*)ptr + 1) = (char)0x90;
 		*((char*)ptr + 2) = (char)0x0;
-
-		*((char*)ptr + 5) = (char)0x90; // nop extra byte we no longer use
 	}
 
 	// patch to allow same of multiple account
diff --git a/R2Northstar.sln b/R2Northstar.sln
index 9c13592d..1b664dd9 100644
--- a/R2Northstar.sln
+++ b/R2Northstar.sln
@@ -26,8 +26,8 @@ Global
 		{0EA82CB0-53FE-4D4C-96DF-47FA970513D0}.Debug|x64.Build.0 = Debug|x64
 		{0EA82CB0-53FE-4D4C-96DF-47FA970513D0}.Debug|x86.ActiveCfg = Debug|Win32
 		{0EA82CB0-53FE-4D4C-96DF-47FA970513D0}.Debug|x86.Build.0 = Debug|Win32
-		{0EA82CB0-53FE-4D4C-96DF-47FA970513D0}.Release|x64.ActiveCfg = Release|Win32
-		{0EA82CB0-53FE-4D4C-96DF-47FA970513D0}.Release|x64.Build.0 = Release|Win32
+		{0EA82CB0-53FE-4D4C-96DF-47FA970513D0}.Release|x64.ActiveCfg = Release|x64
+		{0EA82CB0-53FE-4D4C-96DF-47FA970513D0}.Release|x64.Build.0 = Release|x64
 		{0EA82CB0-53FE-4D4C-96DF-47FA970513D0}.Release|x86.ActiveCfg = Release|Win32
 		{0EA82CB0-53FE-4D4C-96DF-47FA970513D0}.Release|x86.Build.0 = Release|Win32
 	EndGlobalSection