> ## Documentation Index
> Fetch the complete documentation index at: https://hercules.app/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Google Safe Browsing warnings on your domain

> Fix the red "Deceptive site ahead" or "Dangerous site" warning shown by Chrome on a custom domain. Verify in Google Search Console and request a review.

If your users see a full-page red warning from Chrome when they visit your custom domain, your domain has been flagged by **Google Safe Browsing**. The warning is shown by the browser, not by Hercules, and is most common on **brand-new domains** that have only just started serving content.

The two headlines you will usually see are:

* **"Deceptive site ahead"**: the social engineering category. Subtext reads "Attackers on `yourdomain.com` may trick you into doing something dangerous like installing software or revealing your personal information."
* **"Dangerous site"**: the broader category that also covers malware, phishing, and unwanted software.

Firefox, Safari, and most other modern browsers use the same Safe Browsing list, so the warning is not specific to Chrome.

## Why does this happen on a brand-new domain?

Google's Safe Browsing classifier is cautious about domains that have only just started serving content, especially in categories where phishing is common (finance, login pages, adult content, crypto, deals). In most cases this is a **false positive** and clears once you submit a review.

The flag is applied to your **registered domain**, not to anything Hercules serves. That means the review request has to come from you as the domain owner. Hercules cannot submit it on your behalf, because Google requires the request to come from a verified owner of the domain.

## How to clear the warning

These steps usually clear a false-positive flag within **24 to 72 hours**.

<Steps>
  <Step title="Verify your domain in Google Search Console">
    Open [Google Search Console](https://search.google.com/search-console) and add a property for your apex domain (for example, `yourdomain.com`).

    Choose the **Domain** property type, not URL prefix. A Domain property covers your apex and every subdomain in one verification (apex, `www`, `auth`, and any others), so the Security Issues report will show flags on any host under your domain. Google will give you a TXT record to add at your domain registrar to prove ownership. Add the record and click **Verify**.

    If your registrar does not let you add a TXT record, use the **URL prefix** option as a fallback. You will need to add one property per affected host, for example both `https://yourdomain.com` and `https://auth.yourdomain.com`.
  </Step>

  <Step title="Open the Security Issues report">
    Once verification succeeds, open **Security & Manual Actions → Security Issues** in the left navigation.

    This report shows the **exact reason** Google flagged the site and may list sample URLs that triggered the classifier. If sample URLs are shown, review them. If any contain content that genuinely looks deceptive (fake login pages, misleading download buttons, copied branding), fix that content before requesting a review.
  </Step>

  <Step title="Request a review">
    In the Security Issues report, click **Request a Review**. Briefly explain what your site is, that the domain was registered recently, and that the content is not deceptive.

    You can also submit a separate report at the [Google Safe Browsing report form](https://safebrowsing.google.com/safebrowsing/report_error/). Pick **"I believe this isn't a safety threat"** and paste your domain. Submitting both does not hurt.
  </Step>

  <Step title="Wait for the review">
    Reviews typically clear within **24 to 72 hours**. You will get a notification in Search Console's **Messages** page when the review is complete, and the warning will disappear from browsers shortly after.
  </Step>
</Steps>

## Workaround while you wait

Your free `[myapp].onhercules.app` URL is unaffected by the flag on your custom domain and can be used as a temporary URL for your users.

* If you have not already published to a Hercules subdomain, see [Publish to a free Hercules subdomain](/apps/publish/hercules-domain).
* If your custom auth domain (`auth.yourdomain.com`) shows the warning, the flag is typically on your apex domain's reputation, not on the auth subdomain itself, and will clear once the apex is reviewed. Pointing users at the `onhercules.app` URL is the cleanest workaround in the meantime.

## Additional FAQ

<AccordionGroup>
  <Accordion title="Can Hercules submit the review request for me?">
    No. The domain is registered in **your** name, and Google requires the review request to come from a verified owner of the domain. Hercules cannot verify ownership of a domain we did not register.

    If you bought your domain [through Hercules](/apps/publish/buy-domain), the domain is still registered to you, but we can help you walk through the Search Console verification steps. Contact [hello@hercules.app](mailto:hello@hercules.app).
  </Accordion>

  <Accordion title="The Security Issues report shows specific deceptive content. What now?">
    If Google has identified specific URLs that contain deceptive content (fake sign-in forms, misleading download buttons, content that copies another brand), this is not a false positive. Fix the flagged content first, then request the review.

    If you are unsure why a page was flagged, send the contents of the Security Issues report to [hello@hercules.app](mailto:hello@hercules.app) and we can help you adjust the wording or imagery.
  </Accordion>

  <Accordion title="How long until the warning disappears after Google approves the review?">
    Browsers refresh the Safe Browsing list every few hours, so the warning usually disappears within
    **a few hours** of approval, not instantly. If users still see the warning after a day, ask them
    to clear their browser cache.
  </Accordion>

  <Accordion title="How can I avoid this on future domains?">
    Google's classifier looks at signals like SSL setup, redirect health, and whether a brand-new domain is already collecting credentials. Whether you buy [through Hercules](/apps/publish/buy-domain) or register elsewhere, the most common preventative steps are:

    1. Serve traffic over HTTPS with a valid certificate before sharing the URL widely
    2. Avoid putting login or password forms on a page that has been live for less than 24 hours
    3. Do not use brand names, logos, or wording that imitates well-known services on the landing page
    4. Avoid empty or placeholder pages on the domain. Make sure the landing page reflects what the app does.
  </Accordion>

  <Accordion title="My antivirus is flagging my site, not Google. Is that the same thing?">
    No. Antivirus software (Avast, AVG, Norton, etc.) maintains its own block lists separate from Google Safe Browsing. See the [antivirus troubleshooting section](/apps/publish/hercules-domain#additional-faq) on the Hercules subdomain page.
  </Accordion>
</AccordionGroup>