3.4.2 Configuring HTTP Protocol Attributes

Determine HTTPS requirements for an Oracle APEX instance and all related applications.

Note:

Require HTTPS makes APEX unreachable by the HTTP protocol. Before enabling this setting, ensure that the HTTPS protocol is enabled and configured correctly on your server.

• About SSL
  Secure Sockets Layer (SSL) is a protocol for managing the security of data transmitted on the Internet. For web applications, SSL is implemented by using the HTTPS protocol. Oracle recommends running APEX applications using SSL (HTTPS protocol) to prevent any sensitive data from being sent over an unencrypted (cleartext) communication channel.
• Requiring HTTPS
  Configure both the APEX instance and all related applications to require HTTPS by configuring the Require HTTPS and Require Outbound HTTPS attributes.
• Reversing Require HTTPS
  If you enable Require HTTPS, an Instance administrator can disable it by running the following SQL statements.
• Reversing Require Outbound HTTPS
  If you enable Require Outbound HTTPS, an Instance administrator can disable it by running the following SQL statements.
• Configuring Additional Response Headers
  Enter additional HTTP response headers that APEX should send on each request, for all applications.

3.4.2.1 About SSL

Secure Sockets Layer (SSL) is a protocol for managing the security of data transmitted on the Internet. For web applications, SSL is implemented by using the HTTPS protocol. Oracle recommends running APEX applications using SSL (HTTPS protocol) to prevent any sensitive data from being sent over an unencrypted (cleartext) communication channel.

3.4.2.2 Requiring HTTPS

Configure both the APEX instance and all related applications to require HTTPS by configuring the Require HTTPS and Require Outbound HTTPS attributes.

Important:

If you enable Require HTTPS, it makes APEX unreachable by the HTTP protocol. Before enabling this setting, ensure that the HTTPS protocol is enabled and configured correctly on your server.

To require HTTPS in APEX:

1. Sign in to APEX Administration Services.
2. Click Manage Instance.
3. Under Instance Settings, click Security.
4. Under HTTP Protocol, configure the following:
   1. Require HTTPS:

      • Always - Enforces HTTPS for all applications (including the APEX development and administration applications) to require HTTPS.

        If set to Always, the Strict-Transport-Security Max Age attribute displays. Use this field to specify the time period in seconds during which the browser shall access the server with HTTPS only. To learn more, see field-level Help.

      • Development and Administration - Forces all internal applications within APEX (that is, App Builder, SQL Workshop, Administration Services and so on) to require HTTPS.

      • Application specific - Makes HTTPS dependent on application-level settings.

   2. Require Outbound HTTPS - Select Yes to require all outbound traffic from an APEX instance to use the HTTPS protocol.
   3. HTTP Response Headers - Enter additional HTTP response headers that APEX should send on each request for all applications. Developers can specify additional headers at the application-level. Each header has to start on a new line. Note that support for various headers differs between browsers. To learn more, see field-level Help.
5. Click Apply Changes.

3.4.2.3 Reversing Require HTTPS

If you enable Require HTTPS, an Instance administrator can disable it by running the following SQL statements.

To reverse Require HTTPS:

1. Connect in SQL*Plus or SQL Developer with the APEX engine schema as the current schema, for example:

   • On Windows:

     SYSTEM_DRIVE:\ sqlplus /nolog
     SQL> CONNECT SYS as SYSDBA
     Enter password: SYS_password
     

   • On UNIX and Linux:

     $ sqlplus /nolog
     SQL> CONNECT SYS as SYSDBA
     Enter password: SYS_password
     

2. Run the following statement:

   ALTER SESSION SET CURRENT_SCHEMA = APEX_220200;
   

3. Run the following statement:

   BEGIN
       APEX_INSTANCE_ADMIN.SET_PARAMETER('REQUIRE_HTTPS', 'N');
       commit;
   end;
   /
   

3.4.2.4 Reversing Require Outbound HTTPS

If you enable Require Outbound HTTPS, an Instance administrator can disable it by running the following SQL statements.

To reverse Require Outbound HTTPS:

1. Connect in SQL*Plus or SQL Developer with the APEX engine schema as the current schema, for example:

   • On Windows:

     SYSTEM_DRIVE:\ sqlplus /nolog
     SQL> CONNECT SYS as SYSDBA
     Enter password: SYS_password
     

   • On UNIX and Linux:

     $ sqlplus /nolog
     SQL> CONNECT SYS as SYSDBA
     Enter password: SYS_password
     

2. Run the following statement:

   ALTER SESSION SET CURRENT_SCHEMA = APEX_220200;
   

3. Run the following statement:

   BEGIN
       APEX_INSTANCE_ADMIN.SET_PARAMETER('REQUIRE_OUT_HTTPS', 'N');
       commit;
   end;
   /
   

3.4.2.5 Configuring Additional Response Headers

Enter additional HTTP response headers that APEX should send on each request, for all applications.

To configure additional response headers:

1. Sign in to APEX Administration Services.
2. Click Manage Instance.
3. Under Instance Settings, click Security.
4. Locate HTTP Protocol.
5. In HTTP Response Headers, enter additional HTTP response headers that APEX should send on each request for all applications.

   Developers can specify additional headers at application-level. Each header has to start on a new line. Support for various headers differs between browsers.

   One important security related header is Content-Security-Policy. Sending this header can significantly reduce the risk of cross site scripting (XSS) and related attacks. To learn more, see field-level Help.

6. Click Apply Changes.