> ## Documentation Index
> Fetch the complete documentation index at: https://hercules.app/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Audit

> Run security audits to find vulnerabilities. Prioritized findings with actionable fixes. Critical and high first.

Security audits let you review your app's security posture and fix any vulnerabilities before publishing. They are part of [Audits](/apps/audits), where Hercules deep dives a specific area of your app and reports fixes you can apply.

<div className="screenshot ocean">
  <img src="https://mintcdn.com/zeus-0f6dadbf/vyfZOWPi9KdyCPiO/images/apps/security.png?fit=max&auto=format&n=vyfZOWPi9KdyCPiO&q=85&s=f6ef99966ad35b76b755a1bbf6cf0d8d" alt="Security audit results with severity levels and findings" width="789" height="517" data-path="images/apps/security.png" />
</div>

### What security audits can I run?

Three audits cover security and access, found under **Security & Access** in the [Audits](/apps/audits) tab:

* **Security:** Find vulnerabilities and get recommendations to fix them. Covers authentication, authorization, input validation, injection, secret exposure, and insecure data handling.
* **Identity & Access:** Verify auth and permissions are implemented correctly. Confirms every backend function enforces authorization, ownership checks, and role-based access.
* **Dependency & Supply Chain:** Check for outdated, vulnerable, or risky dependencies, unused packages, and license risks.

### How do I check my app's security?

1. Open the **Audits** tab in the sidebar
2. Under **Security & Access**, click **Run Audit** on the audit you want
3. Wait for the analysis to complete
4. Review prioritized findings

Each audit checks for common issues and provides actionable recommendations.

### What do the severity levels mean?

* **Critical:** Fix immediately. Serious vulnerabilities that could compromise your app or user data.
* **High:** Fix before publishing. Significant issues that should be addressed.
* **Medium:** Fix when convenient. Issues that improve security but aren't urgent.
* **Low:** Consider fixing. Minor improvements or best practices.

**Best practice:** Fix all critical and high issues before publishing your app.

### What else should I do to keep my app secure?

**Keep secrets secure**

* Use the Secrets panel for API keys
* Never hardcode sensitive values
* Rotate keys if compromised

**Limit access**

* Use role-based permissions
* Restrict admin pages
* Validate user input

**Run security audits regularly**

* Check security analysis after major changes
* Fix critical and high issues promptly