Learn about security best practices when managing an Oracle Application Express instance.
Note:To ensure the security and performance of your development environment, this functionality is not available in Oracle APEX instances running in Oracle Cloud.
"Configuring Security" in Oracle APEX Administration Guide
188.8.131.52 About Creating Login Controls
Administrators can configure login controls for an entire instance or for individual workspaces.
Workspace administrators and developers can create user accounts for the purpose of logging in to the Oracle Application Express development environment and for end-user authentication to applications developed within their workspaces.
Administrators can configure login controls at the instance or workspace level. For example, if an Instance administrator configures account login controls in Oracle Application Express Administration Services that configuration applies to all Application Express accounts in all workspaces across an entire development instance.
If the Instance administrator does not enable login controls across an entire instance, then each Workspace administrator can enable the following controls on a workspace-by-workspace basis:
End-user account expiration and locking.
A maximum number of failed login attempts for end-user accounts.
The password lifetime (or number of days an end-user account password can be used before it expires for end-user accounts).
"Managing Workspace Account Login Controls" and in "Configuring Authentication Controls for an Instance" in Oracle APEX Administration Guide
184.108.40.206 About Enabling Public File Upload
Administrators can use the Allow Public File Upload attribute to control whether unauthenticated users can upload files in applications that provide file upload capability
"Controlling Public File Upload" in Oracle APEX Administration Guide
220.127.116.11 About Restricting User Access by IP Address
Administrators can restrict user access to an Oracle Application Express instance by entering a comma-delimited list of allowable IP addresses in the Restrict Access by IP Address attribute on the Manage Instance, Security page.
"Restricting User Access by IP Address" in Oracle APEX Administration Guide
18.104.22.168 About Specifying an Instance Proxy
Administrators can use the Instance Proxy attribute to configure an entire Oracle Application Express instance to use a proxy for all outbound HTTP traffic.
Setting a proxy at the instance-level supersedes any proxies defined at the application-level or in web service references. If a proxy is specified, regions of type URL, Web services, and report printing will use the proxy.
"Configuring a Proxy Server for an Instance" in Oracle APEX Administration Guide
22.214.171.124 About Utilizing Secure Sockets Layer
Secure Sockets Layer (SSL) is a protocol for managing the security of data transmitted on the Internet. For web applications, SSL is implemented by using the HTTPS protocol. Oracle recommends that you run Oracle Application Express applications using SSL (HTTPS protocol) to prevent any sensitive data from being sent over an unencrypted (cleartext) communication channel.
Instance administrators can configure both their Oracle Application Express instance and all related applications to require HTTPS by configuring the Require HTTPS and Require Outbound HTTPS attributes. Configuring these attributes forces authenticated pages within the App Builder to require HTTPS which encrypts network communications. Changing the Require HTTPS option does not affect the web server in any way. You will still need to enable the web server for HTTPS for these options to have any meaning. To learn more about enabling HTTPS, see the documentation for your specific web server.
Require HTTPS options include:
Always - Enforces HTTPS for all applications (including the Oracle Application Express development and administration applications) to require HTTPS.
Development and Administration - Forces all internal applications within Oracle Application Express (that is, App Builder, SQL Workshop, Instance Administration and so on) to require HTTPS.
Application specific - Makes HTTPS dependent on application-level settings.
"Configuring HTTP Protocol Attributes" in Oracle APEX Administration Guide
126.96.36.199 About Enabling RESTful Access
Administrators can use the Allow RESTful Access attribute to control whether developers can expose report regions as RESTful services.
"Enabling RESTful Services for an Instance" in Oracle APEX Administration Guide
188.8.131.52 About Rejoin Sessions
Use the Rejoin Sessions attribute to control if Oracle Application Express supports application URLs that do not contain session IDs.
For security reasons, Oracles recommends that administrators disable Rejoin Sessions unless they implement workspace isolation by configuring the Allow Hostname attribute at the workspace or instance-level. See "About Isolating Workspaces."
When rejoin sessions is enabled, Oracle Application Express attempts to use the session cookie to join an existing session, when a URL does not contain a session ID. To use Rejoin Sessions, administrators must enable Rejoin Sessions at the application or page-level. Note that a more restrictive value of Rejoin Sessions at the instance-level overrides application and page settings.
While supporting session joins is convenient, it does present some serious security risks:
Triggering malicious session state changes or other modifications.
If an attacker tricks the user into clicking an application link, this can trigger malicious session state changes or other modifications. Because of this risk, Application Express requires a checksum that the attacker will not be able to guess when processing requests that alters data.
Triggering unintended changes between applications.
If a user has two applications open in separate tabs on the same Oracle Application Express instance, one application could trigger unintended changes in the other one. The attacking application could be written by a hacker or it could have an XSS vulnerability that enables an attacker to inject code. This application could use Ajax calls that simulate user interactions with the other application.
184.108.40.206 About Isolating Workspaces
Isolating workspaces is an effective approach to preventing browser attacks.
The only way to truly isolate a workspace is to enforce different domains in the URL by configuring the Allow Hostnames attribute in Oracle Application Express Administration Services. When the URLs of the attacker and the victim have different domains and hostnames, the browser's same-origin policy prevents attacks.
Workspace isolation by configuring Allow Hostnames is a counter measure against client side attacks that attempt to cross workspace boundaries. This security measure is not necessary if you trust all applications that are accessible using the instance's host which includes applications that are written in other frameworks and languages such as Oracle Application Development Framework (ADF) and Java.
220.127.116.11 About Utilizing Session Timeout
Configure Session Timeout attributes to reduce your application's exposure.
Users often leave their computers unattended for extended periods and do not close applications before departing. Therefore, an unauthorized person can easily assume the user's identity within the application. By setting the session and idle timeout, users are automatically logged out of their application after the specified timeout.
Session Timeout attributes include:
Maximum Session Length in Seconds
Maximum Session Idle Time in Seconds
Session Timeout Warning in Seconds
Session Timeout URL (application-level setting)
Idle Timeout URL (application-level setting)
Developers can configure session timeout for a specific application, or administrators can configure sessions timeout for a workspace or an entire instance.
18.104.22.168 Restricting Password Reuse
Site administrators can restrict password reuse for all administrator, developer, and end-user accounts based on a history of passwords previously used for the accounts.
To restrict password reuse:
- Start SQL*Plus and connect to the database where Oracle Application Express is installed having the
apex_administrator_rolerole or as
SYSDBArole. For example:
SYSTEM_DRIVE:\ sqlplus /nolog SQL> CONNECT SYS as SYSDBA Enter password: SYS_password
On UNIX and Linux:
$ sqlplus /nolog SQL> CONNECT SYS as SYSDBA Enter password: SYS_password
APEX_ADMINISTRATOR_ROLEmust be granted directly to a user and not through another database role.
- Execute the following statement:
ALTER SESSION SET CURRENT_SCHEMA = APEX_210200;
- Execute the following statement:
BEGIN APEX_INSTANCE_ADMIN.SET_PARAMETER('PASSWORD_HISTORY_DAYS',365); COMMIT; END; /
This restricts new or updated passwords to those that have not been used for the account for the previous 365 days. Recording of previously used passwords (actually, hashed representations of passwords) begins upon installation of Oracle Application Express.
- To disable this feature, run the block above, providing 0 for the parameter value. For example:
BEGIN APEX_INSTANCE_ADMIN.SET_PARAMETER('PASSWORD_HISTORY_DAYS',0); COMMIT; END; /
22.214.171.124 About Enabling RESTful Services
Administrators can control the ability to create and access RESTful Services at either the workspace or instance-level.
Disabling the Enable RESTful Services attribute prevents developers from creating and editing RESTful Web Services mapped to SQL and PL/SQL in conjunction with Oracle REST Data Services 2.0 or later.
To configure Enable RESTful Services:
In Workspace Administration — Sign in to Oracle Application Express and click the Administration menu. Select Manage Service, Set Workspace Preferences, SQL Workshop and find the Enable RESTful Services attribute.
In Instance Administration — Sign in to Oracle Application Express Administration Services. Under Instance Settings, click Feature Configuration and click Feature Configuration. Find the REST tab and then Enable RESTful Services attribute.
"Enabling RESTful Services and Defining a Path Prefix for a Workspace" and "Enabling RESTful Services for an Instance" in Oracle APEX Administration Guide