Security
Hermes Agent Web separates the public landing pages from the authenticated AI interface and keeps sensitive application routes out of search indexing.
Public and private areas
The public pages are limited to the landing page, documentation and this security overview. Authentication, API, WebSocket and application routes are configured with noindex headers so search engines do not treat them as public content.
HTTPS access
The production domain is served over HTTPS. HTTP requests are redirected to the canonical HTTPS domain before users reach the public site or the authenticated application.
Bring your own key
Hermes Agent Web is designed around a bring-your-own-provider-key workflow. Add provider credentials only inside the authenticated application, and prefer provider keys that are scoped, revocable and dedicated to this usage.
User guidance
- Do not paste API keys, passwords or private tokens into public pages or support messages.
- Use a unique provider key for this service when possible.
- Rotate or revoke a provider key immediately if you suspect exposure.
- Keep browser sessions private on shared devices and sign out when finished.
Operational note
This page describes the public security posture and safe usage guidance. Detailed provider key storage and retention behavior depends on the authenticated application configuration.