Skip to main content

Documentation Index

Fetch the complete documentation index at: https://hercules.app/docs/llms.txt

Use this file to discover all available pages before exploring further.

If your users see a full-page red warning from Chrome when they visit your custom domain, your domain has been flagged by Google Safe Browsing. The warning is shown by the browser, not by Hercules, and is most common on brand-new domains that have only just started serving content. The two headlines you will usually see are:
  • “Deceptive site ahead”: the social engineering category. Subtext reads “Attackers on yourdomain.com may trick you into doing something dangerous like installing software or revealing your personal information.”
  • “Dangerous site”: the broader category that also covers malware, phishing, and unwanted software.
Firefox, Safari, and most other modern browsers use the same Safe Browsing list, so the warning is not specific to Chrome.

Why does this happen on a brand-new domain?

Google’s Safe Browsing classifier is cautious about domains that have only just started serving content, especially in categories where phishing is common (finance, login pages, adult content, crypto, deals). In most cases this is a false positive and clears once you submit a review. The flag is applied to your registered domain, not to anything Hercules serves. That means the review request has to come from you as the domain owner. Hercules cannot submit it on your behalf, because Google requires the request to come from a verified owner of the domain.

How to clear the warning

These steps usually clear a false-positive flag within 24 to 72 hours.
1

Verify your domain in Google Search Console

Open Google Search Console and add a property for your apex domain (for example, yourdomain.com).Choose the Domain property type, not URL prefix. A Domain property covers your apex and every subdomain in one verification (apex, www, auth, and any others), so the Security Issues report will show flags on any host under your domain. Google will give you a TXT record to add at your domain registrar to prove ownership. Add the record and click Verify.If your registrar does not let you add a TXT record, use the URL prefix option as a fallback. You will need to add one property per affected host, for example both https://yourdomain.com and https://auth.yourdomain.com.
2

Open the Security Issues report

Once verification succeeds, open Security & Manual Actions → Security Issues in the left navigation.This report shows the exact reason Google flagged the site and may list sample URLs that triggered the classifier. If sample URLs are shown, review them. If any contain content that genuinely looks deceptive (fake login pages, misleading download buttons, copied branding), fix that content before requesting a review.
3

Request a review

In the Security Issues report, click Request a Review. Briefly explain what your site is, that the domain was registered recently, and that the content is not deceptive.You can also submit a separate report at the Google Safe Browsing report form. Pick “I believe this isn’t a safety threat” and paste your domain. Submitting both does not hurt.
4

Wait for the review

Reviews typically clear within 24 to 72 hours. You will get a notification in Search Console’s Messages page when the review is complete, and the warning will disappear from browsers shortly after.

Workaround while you wait

Your free [myapp].onhercules.app URL is unaffected by the flag on your custom domain and can be used as a temporary URL for your users.
  • If you have not already published to a Hercules subdomain, see Publish to a free Hercules subdomain.
  • If your custom auth domain (auth.yourdomain.com) shows the warning, the flag is typically on your apex domain’s reputation, not on the auth subdomain itself, and will clear once the apex is reviewed. Pointing users at the onhercules.app URL is the cleanest workaround in the meantime.

Additional FAQ

No. The domain is registered in your name, and Google requires the review request to come from a verified owner of the domain. Hercules cannot verify ownership of a domain we did not register.If you bought your domain through Hercules, the domain is still registered to you, but we can help you walk through the Search Console verification steps. Contact hello@hercules.app.
If Google has identified specific URLs that contain deceptive content (fake sign-in forms, misleading download buttons, content that copies another brand), this is not a false positive. Fix the flagged content first, then request the review.If you are unsure why a page was flagged, send the contents of the Security Issues report to hello@hercules.app and we can help you adjust the wording or imagery.
Browsers refresh the Safe Browsing list every few hours, so the warning usually disappears within a few hours of approval, not instantly. If users still see the warning after a day, ask them to clear their browser cache.
Google’s classifier looks at signals like SSL setup, redirect health, and whether a brand-new domain is already collecting credentials. Whether you buy through Hercules or register elsewhere, the most common preventative steps are:
  1. Serve traffic over HTTPS with a valid certificate before sharing the URL widely
  2. Avoid putting login or password forms on a page that has been live for less than 24 hours
  3. Do not use brand names, logos, or wording that imitates well-known services on the landing page
  4. Avoid empty or placeholder pages on the domain. Make sure the landing page reflects what the app does.
No. Antivirus software (Avast, AVG, Norton, etc.) maintains its own block lists separate from Google Safe Browsing. See the antivirus troubleshooting section on the Hercules subdomain page.