Public Website Security Sweep

What this page covers

This page gives a practical Hermes-assisted checklist for public website security sweeps: verify what anonymous users can see, confirm headers and robots/indexing choices, inspect forms/downloads, and keep private portal data out of public routes.

Hermes changes quickly, so treat the official documentation as the source of truth and use the built-in CLI to inspect the local install before editing config by hand.

Fast path

```bash

curl -I https://example.com/

```

```bash

curl -sS https://example.com/robots.txt

```

```bash

curl -sS -o /dev/null -w "%{http_code} %{content_type}\n" https://example.com/wiki

```

```bash

hermes chat --toolsets web,browser -q "Verify this public page as an anonymous user and summarize console/network issues."

```

Practical checklist

  • Check anonymous home, landing, wiki/docs, download, and article routes.
  • Confirm private/admin navigation, owner dashboards, private storage URLs, and customer data are absent from public HTML.
  • Verify security headers such as CSP where used, plus cache headers appropriate for public vs private pages.
  • Test direct asset URLs for gated downloads; public cards should not leak ungated source files when lead capture is required.
  • Check robots/sitemap/noindex choices match launch status.

Common pitfalls

  • Only checking the rendered browser view and missing HTML/source leaks.
  • Adding analytics or third-party scripts without updating CSP and live collector checks.
  • Copying a whole private data folder into a public Docker image just to serve one public JSON file.
  • Leaving preview routes discoverable in nav, sitemap, or robots when they should be exact-URL only.

Verification checklist

  • Anonymous `curl` checks return expected 200/30x/40x codes.
  • Browser console and network panel show no obvious blocked critical assets or private endpoint calls.
  • Public pages contain no owner-only links/data.
  • Robots/sitemap/indexing state matches the intended public or preview status.

Official reference

https://hermes-agent.nousresearch.com/docs/user-guide/features/tools/