3.5.2 Configuring Security
Instance administrators can configure instance security, including service-level security, configuring support for Real Application Security, configuring session time out, preventing browser attacks by isolating workspaces, excluding domains from regions and Web services, configuring authentication controls, creating strong password policies, restricting access by Database Access Descriptor (DAD), and managing authorized URLs.
- Configuring Service-level Security Settings
Instance administrators can configure service-level security in Manage Instance, Security, Security Settings, Security. - Configuring HTTP Protocol Attributes
Determine HTTPS requirements for an Oracle Application Express instance and all related applications. - Enabling Real Application Security
Enable Oracle Real Application Security. - Configuring Session Timeout for an Instance
Use the Session Timeout attributes for an instance to reduce exposure at the application-level for abandoned computers with an open web browser. - Isolating All Workspaces in an Instance
Instance administrators can prevent browser attacks by isolating a workspace. - Defining Excluded Domains for Regions and Web Services
Define a list of restricted domains for regions of type URL and Web services. If a Web service or region of type URL contains an excluded domain, an error displays informing the user that it is restricted. - Configuring Authentication Controls for an Instance
Configure authentication controls for an entire Oracle Application Express instance. - Creating Strong Password Policies
Instance administrators can create strong password policies for an Oracle Application Express instance. - Restricting Access to Oracle Application Express by Database Access Descriptor (DAD)
Restrict access to Oracle Application Express by Database Access Descriptor (DAD). - Managing Authorized URLs
Create and manage a list of authorized URLs.
Parent topic: Managing Instance Settings
3.5.2.1 Configuring Service-level Security Settings
Instance administrators can configure service-level security in Manage Instance, Security, Security Settings, Security.
Service-level security includes configuring login controls, controlling file upload capability, restricting access by IP address, configuring a proxy server for an instance, controlling support for URLs containing session IDs, and controlling how Oracle Application Express displays the results of unhandled errors.
- Controlling If Cookies Populate the Login Form
Control if a convenience cookie is sent to a user's computer whenever a developer or administrator logs in to a workspace from the Application Express Login page. - Disabling Access to Oracle Application Express Administration Services
Prevent a user from logging in to Oracle Application Express Administration Services. - Enabling Access to Oracle Application Express Administration Services
If access to Oracle Application Express Administration Services has been disabled, an Instance administrator can re-enable again by running the following SQL statements. - Disabling Workspace Login Access
Restrict user access to Application Express by disabling workspace login. Disabling workspace login in production environments prevents users from running Application Express applications such as App Builder. - Controlling Public File Upload
Use the Allow Public File Upload attribute to control whether unauthenticated users can upload files in applications that provide file upload controls. - Restricting User Access by IP Address
Restrict user access to an Oracle Application Express instance by specifying a comma-delimited list of allowable IP addresses. - Configuring a Proxy Server for an Instance
Configure an entire Oracle Application Express instance to use a proxy for all outbound HTTP traffic. - Selecting a Checksum Hash Function
Select a hash function that Application Express uses to generate one way hash strings for checksums. - Configuring Rejoin Sessions for an Instance
Controls at the application-level if whether URLs in this application contain session IDs. - Configuring Unhandled Errors
Control how Oracle Application Express displays the results of unhandled errors
Parent topic: Configuring Security
3.5.2.1.1 Controlling If Cookies Populate the Login Form
Control if a convenience cookie is sent to a user's computer whenever a developer or administrator logs in to a workspace from the Application Express Login page.
If Set Workspace Cookie option is set to Yes, Oracle Application Express sends a persistent cookie that:
-
Combines the last used workspace name and user name
-
Has a lifetime of six months
-
Is read to populate the Application Express Workspace Login form (but not the Oracle Application Express Administration Services Login form)
To control if cookies populate the login form:
- Sign in to Oracle Application Express Administration Services.
- Click Manage Instance.
- Under Instance Settings, click Security.
- Locate the Security section.
- For Set Workspace Cookie, select No.
-
Yes - Enables the Application Express workspace login page to send a persistent cookie containing the last used workspace name and username combination.
This cookie has a lifetime of six months and is used to populate the Workspace and Username fields of the Application Express workspace login form (not the Service Administration login form).
- No - Prevents this cookie from being sent.
-
- Click Apply Changes.
Note:
If your system has received this cookie, you can physically remove it from its persistent location on disk using browser tools or system utilities. The cookie is named ORA_WWV_REMEMBER_UN.
In older releases of Oracle Application Express, this cookie was named ORACLE_PLATFORM_REMEMBER_UN
. It may exist for each Oracle Application Express service accessed having distinct hostname and path components.
Parent topic: Configuring Service-level Security Settings
3.5.2.1.2 Disabling Access to Oracle Application Express Administration Services
Prevent a user from logging in to Oracle Application Express Administration Services.
Instance administrators can prevent a user from logging in to Oracle Application Express Administration Services. Disabling administrator login in production environments prevents unauthorized users from accessing Application Express Administration Services and possibly compromising other user login credentials.
To disable user access to Oracle Application Express Administration Services:
3.5.2.1.3 Enabling Access to Oracle Application Express Administration Services
If access to Oracle Application Express Administration Services has been disabled, an Instance administrator can re-enable again by running the following SQL statements.
To enable user access to Oracle Application Express Administration Services if it has been disabled:
Parent topic: Configuring Service-level Security Settings
3.5.2.1.4 Disabling Workspace Login Access
Restrict user access to Application Express by disabling workspace login. Disabling workspace login in production environments prevents users from running Application Express applications such as App Builder.
To disable user access to the Internal workspace:
Parent topic: Configuring Service-level Security Settings
3.5.2.1.5 Controlling Public File Upload
Use the Allow Public File Upload attribute to control whether unauthenticated users can upload files in applications that provide file upload controls.
To control file upload:
Parent topic: Configuring Service-level Security Settings
3.5.2.1.6 Restricting User Access by IP Address
Restrict user access to an Oracle Application Express instance by specifying a comma-delimited list of allowable IP addresses.
To restrict user access by IP address:
Parent topic: Configuring Service-level Security Settings
3.5.2.1.7 Configuring a Proxy Server for an Instance
Configure an entire Oracle Application Express instance to use a proxy for all outbound HTTP traffic.
Setting a proxy at the instance-level supersedes any proxies defined at the application-level or in web service references. If a proxy is specified, regions of type URL, Web services, and report printing will use the proxy.
To configure a proxy for an Oracle Application Express instance:
- Sign in to Oracle Application Express Administration Services.
- Click Manage Instance.
- Under Instance Settings, click Security.
- Locate the Security section.
- In Instance Proxy, enter the address and port of the proxy to be used for the entire instance. In No Proxy Domains, enter a list of domains, for which the proxy server should not be used.
- Click Apply Changes.
Parent topic: Configuring Service-level Security Settings
3.5.2.1.8 Selecting a Checksum Hash Function
Select a hash function that Application Express uses to generate one way hash strings for checksums.
The Checksum Hash Function attribute enables you to react to recent developments and switch between algorithms based on new research. Use the Checksum Hash Function attribute to select a hash function that Oracle Application Express uses to generate one way hash strings for checksums. This attribute is also the default value for the Security Bookmark Hash Function attribute in new applications. Applications use the Bookmark Hash Function when defining bookmark URLs.
Tip:
Changing the Checksum Hash Function does not change the Bookmark Hash Function currently defined for existing applications because this would invalidate all existing bookmarks saved by end users. Oracle strongly recommends going into existing applications, expiring existing bookmarks, and then updating the Bookmark Hash Function to the same value defined for Checksum Hash Function.
To select a checksum hash function:
Parent topic: Configuring Service-level Security Settings
3.5.2.1.9 Configuring Rejoin Sessions for an Instance
Controls at the application-level if whether URLs in this application contain session IDs.
By configuring the Rejoin Sessions attribute, Instance administrators can control if Oracle Application Express supports URLs that contain session IDs. When Rejoin Sessions is enabled, Oracle Application Express attempts to use the session cookie to join an existing session, when a URL does not contain a session ID.
To use Rejoin Sessions at the applicaion or page-level, an administrator must enable Rejoin Sessions at the instance-level. A more restrictive instance-level setting overrides application and page settings.
Warning:
For security reasons, Oracles recommends that administrators disable support for session joining unless they implement workspace isolation by configuring the Allow Hostname attributes. See "Isolating a Workspace to Prevent Browser Attacks" and "Isolating All Workspaces in an Instance."
Note:
Enabling rejoin sessions may expose your application to possible security breaches by enabling attackers to take over existing end user sessions. To learn more, see "About Rejoin Sessions" in Oracle Application Express App Builder User’s Guide.
To configure Rejoin Sessions:
- Sign in to Oracle Application Express Administration Services.
- Click Manage Instance.
- Under Instance Settings, click Security.
- Locate the Security section.
- From Rejoin Sessions, select an option:
- Disabled - If the URL does not contain a session ID, Oracle Application Express creates a new session.
- Enabled for Public Sessions - If the URL goes to a public page and does not contain a session ID Application Express attempts to utilize the existing session cookie established for that application. For applications with both public and authenticated pages, a session ID is defined after the end user authenticates. Application Express only joins via the cookie when the session is not yet authenticated.
- Enabled for All Sessions - If the URL does not contain a session ID, Oracle Application Express attempts to use the existing session cookie established for that application, providing one of the following conditions are met:
-
Session State Protection is enabled for the application and the URL includes a valid checksum. For public bookmarks, the most restrictive item level protection must be either Unrestricted or Checksum Required - Application Level.
-
The URL does not contain payload (a request parameter, clear cache or data value pairs). This setting requires that Embed In Frames is set to Allow from same origin or to Deny for the application.
Enabled for All Sessions requires that Embed in Frames is set to Allow from same origin or Deny. This is not tied to a condition about the URL payload, but also applies to session state protected URLs.
-
- Click Apply Changes.
See Also:
-
"Configuring Rejoin Sessions for a Page" in Oracle Application Express App Builder User’s Guide
-
"Session Management" in Oracle Application Express App Builder User’s Guide to learn how to configure Rejoin Sessions at the application-level
Parent topic: Configuring Service-level Security Settings
3.5.2.1.10 Configuring Unhandled Errors
Control how Oracle Application Express displays the results of unhandled errors
When Oracle Application Express encounters an unhandled error during processing, an error page displays to the end user of the application. From a security standpoint, it is often better to not display these messages and error codes to the end user and simply return a HTTP 400 (Bad Request) error code to the client browser.
To configure Unhandled Errors:
Parent topic: Configuring Service-level Security Settings
3.5.2.2 Configuring HTTP Protocol Attributes
Determine HTTPS requirements for an Oracle Application Express instance and all related applications.
Note:
Require HTTPS make Oracle Application Express unreachable by the HTTP protocol. Before enabling this setting, ensure that the HTTPS protocol is enabled and configured correctly on your server.
- About SSL
Secure Sockets Layer (SSL) is a protocol for managing the security of data transmitted on the Internet. For web applications, SSL is implemented by using the HTTPS protocol. Oracle recommends running Oracle Application Express applications using SSL (HTTPS protocol) to prevent any sensitive data from being sent over an unencrypted (cleartext) communication channel. - Requiring HTTPS
Configure both the Oracle Application Express instance and all related applications to require HTTPS by configuring the Require HTTPS and Require Outbound HTTPS attributes. - Reversing Require HTTPS
If you enable Reverse HTTPS, an Instance administrator can disable it by running the following SQL statements. - Reversing Require Outbound HTTPS
If you enable Require Outbound HTTPS, an Instance administrator can disable it by running the following SQL statements. - Configuring Additional Response Headers
Enter additional HTTP response headers that Oracle Application Express should send on each request, for all applications.
Parent topic: Configuring Security
3.5.2.2.1 About SSL
Secure Sockets Layer (SSL) is a protocol for managing the security of data transmitted on the Internet. For web applications, SSL is implemented by using the HTTPS protocol. Oracle recommends running Oracle Application Express applications using SSL (HTTPS protocol) to prevent any sensitive data from being sent over an unencrypted (cleartext) communication channel.
Parent topic: Configuring HTTP Protocol Attributes
3.5.2.2.2 Requiring HTTPS
Configure both the Oracle Application Express instance and all related applications to require HTTPS by configuring the Require HTTPS and Require Outbound HTTPS attributes.
Important:
If you enable Require HTTPS makes Oracle Application Express unreachable by the HTTP protocol. Before enabling this setting, ensure that the HTTPS protocol is enabled and configured correctly on your server.
To require HTTPS in Oracle Application Express:
- Sign in to Oracle Application Express Administration Services.
- Click Manage Instance.
- Under Instance Settings, click Security.
- Under HTTP Protocol, configure the following:
- Click Apply Changes.
Parent topic: Configuring HTTP Protocol Attributes
3.5.2.2.3 Reversing Require HTTPS
If you enable Reverse HTTPS, an Instance administrator can disable it by running the following SQL statements.
To reverse Require HTTPS:
Parent topic: Configuring HTTP Protocol Attributes
3.5.2.2.4 Reversing Require Outbound HTTPS
If you enable Require Outbound HTTPS, an Instance administrator can disable it by running the following SQL statements.
To reverse Require Outbound HTTPS:
Parent topic: Configuring HTTP Protocol Attributes
3.5.2.2.5 Configuring Additional Response Headers
Enter additional HTTP response headers that Oracle Application Express should send on each request, for all applications.
To configure additional response headers:
Parent topic: Configuring HTTP Protocol Attributes
3.5.2.3 Enabling Real Application Security
Enable Oracle Real Application Security.
To enable Real Application Security:
If you are running Oracle Database 12c Release 1 (12.1.0.2) or later, you can enable Oracle Real Application Security. Oracle Real Application Security (RAS) is a database authorization framework that enables application developers and administrators to define, provision, and enforce application-level security policies at the database layer.
Parent topic: Configuring Security
3.5.2.4 Configuring Session Timeout for an Instance
Use the Session Timeout attributes for an instance to reduce exposure at the application-level for abandoned computers with an open web browser.
Instance administrators can Session Timeout for an instance on the Instance Settings, Security page.
To configure Session Timeout attributes for an instance:
- Sign in to Oracle Application Express Administration Services.
- Click Manage Instance.
- Under Instance Settings, click Security.
- Under Session Timeout:
- Click Apply Changes.
See Also:
- "About Utilizing Session Timeout" and "Session Management" in Oracle Application Express App Builder User’s Guide
Parent topic: Configuring Security
3.5.2.5 Isolating All Workspaces in an Instance
Instance administrators can prevent browser attacks by isolating a workspace.
- About Isolating Workspaces to Prevent Browser Attacks
Isolating workspaces is an effective approach to preventing browser attacks. - Configuring Instance-Level Workspace Isolation Attributes
Configure isolation and resource limitation default values for all workspaces. Workspace administrators can override these default values at the workspace-level.
Parent topic: Configuring Security
3.5.2.5.1 About Isolating Workspaces to Prevent Browser Attacks
Isolating workspaces is an effective approach to preventing browser attacks.
The only way to truly isolate a workspace is to enforce different domains in the URL by configuring the Allow Hostnames attribute. When the URLs of the attacker and the victim have different domains and hostnames, the browser's same-origin policy prevents attacks.
3.5.2.5.2 Configuring Instance-Level Workspace Isolation Attributes
Configure isolation and resource limitation default values for all workspaces. Workspace administrators can override these default values at the workspace-level.
To configure instance-level Workspace Isolation attributes:
Parent topic: Isolating All Workspaces in an Instance
3.5.2.6 Defining Excluded Domains for Regions and Web Services
Define a list of restricted domains for regions of type URL and Web services. If a Web service or region of type URL contains an excluded domain, an error displays informing the user that it is restricted.
To define a list of excluded domain from regions of type URL and Web services:
Parent topic: Configuring Security
3.5.2.7 Configuring Authentication Controls for an Instance
Configure authentication controls for an entire Oracle Application Express instance.
- About Authentication Controls
Administrators can configure authentication controls for an entire instance or for each individual workspace. - Configuring Security for Developer and End User Login
Configure developer and end user login security settings. - Configuring Security Settings for Workspace Administrator and Developer Accounts
Manage security settings for workspace administrator and workspace developer accounts. - Editing Development Environment Authentication Scheme
Manage development environment authentication schemes.
See Also:
Parent topic: Configuring Security
3.5.2.7.1 About Authentication Controls
Administrators can configure authentication controls for an entire instance or for each individual workspace.
For example, if an instance administrator configures authentication controls in Oracle Application Express Administration Services that configuration applies to all Application Express accounts in all workspaces across an entire development instance.
If the instance administrator does not enable authentication controls across an entire instance, then each Workspace administrator can enable the following controls on a workspace-by-workspace basis:
-
User account expiration and locking
-
A maximum number of failed login attempts for user accounts
-
Account password lifetime (or number of days an end-user account password can be used before it expires for end-user accounts)
Tip:
This feature applies only to accounts created using the Application Express user creation and management. It provides additional authentication security for applications. See "Managing Users in a Workspace."
3.5.2.7.2 Configuring Security for Developer and End User Login
Configure developer and end user login security settings.
To configure security settings for developer and end user login:
- Sign in to Oracle Application Express Administration Services.
- Click Manage Instance.
- Under Instance Settings, click Security.
- Under General Settings, configure the following attributes:
- Click Apply Changes.
Parent topic: Configuring Authentication Controls for an Instance
3.5.2.7.3 Configuring Security Settings for Workspace Administrator and Developer Accounts
Manage security settings for workspace administrator and workspace developer accounts.
To configure security controls for workspace administrator and workspace developer accounts:
- Sign in to Oracle Application Express Administration Services.
- Click Manage Instance.
- Under Instance Settings, click Security.
- Under Development Environment Settings,, configure the following attributes:
- Click Apply Changes.
Parent topic: Configuring Authentication Controls for an Instance
3.5.2.7.4 Editing Development Environment Authentication Scheme
Manage development environment authentication schemes.
To edit development environment authentication schemes:
Tip:
You can also change the authentication scheme using the APEX_BUILDER_AUTHENTICATION
parameter in APEX_INSTANCE_ADMIN
package. See "Available Parameter Values" in Oracle Application Express API Reference.
Parent topic: Configuring Authentication Controls for an Instance
3.5.2.8 Creating Strong Password Policies
Instance administrators can create strong password policies for an Oracle Application Express instance.
- About Strong Password Policies
Manage password policy for Application Express users (workspace administrators, developers, and end users) in all workspaces. - Configuring Password Policies
Manage password policy for Application Express users (workspace administrators, developers, and end users) in all workspaces.
Parent topic: Configuring Security
3.5.2.8.1 About Strong Password Policies
Manage password policy for Application Express users (workspace administrators, developers, and end users) in all workspaces.
Password policies can:
-
Apply to all users (including, Workspace administrators, developers, and end users) in an Oracle Application Express instance.
-
Include restrictions on characters, password length, specific words, and differences in consecutive passwords.
-
Apply to users signing in to Oracle Application Express Administration Services.
The Application Express instance administrator can select the password policy for service administrators. Options include:
-
Use policy specified in Workspace Password Policy - Applies the password rules specified the in Workspace Password Policy.
-
Use default strong password policy - Adds another layer of security to prevent hackers from determining an administrator's password. This password policy requires that service administrator passwords meet these restrictions:
-
Consist of at least six characters.
-
Contain at least one lowercase alphabetic character, one uppercase alphabetic character, one numeric digit, and one punctuation character.
-
Cannot include the username.
-
Cannot include the word Internal.
-
Cannot contain any words shown in the Must Not Contain Workspace Name field in this section.
Password policies add another layer of security to prevent hackers from determining an administrator's password.
-
Parent topic: Creating Strong Password Policies
3.5.2.8.2 Configuring Password Policies
Manage password policy for Application Express users (workspace administrators, developers, and end users) in all workspaces.
To configure password policies:
Parent topic: Creating Strong Password Policies
3.5.2.9 Restricting Access to Oracle Application Express by Database Access Descriptor (DAD)
Restrict access to Oracle Application Express by Database Access Descriptor (DAD).
Tip:
The PL/SQL Request Validation Function directive is only available in Oracle Application Server 10g and Oracle HTTP Server 11g or later, and the embedded PL/SQL gateway in Oracle Database 11g or later. This directive is not available in Oracle HTTP Server Release 9.0.3.
- About Enforcing Access Restrictions Per DAD
You can restrict access to Oracle Application Express by DAD by creating a request validation function directive when you create the DAD. - About Changing and Recompiling wwv_flow_epg_include_local
You can change and recompile thewwv_flow_epg_include_local
function to restrict access. - Specifying Allowed Named Procedures
- Altering the Product Schema
You can restrict access by altering the product schema.
Parent topic: Configuring Security
3.5.2.9.1 About Enforcing Access Restrictions Per DAD
You can restrict access to Oracle Application Express by DAD by creating a request validation function directive when you create the DAD.
mod_plsql
and the embedded PL/SQL gateway support a directive which enables you to name a PL/SQL function which is called for each HTTP request. You can use this functionality to restrict the procedures that can be called through the embedded PL/SQL gateway or mod_plsql
. The function returns TRUE
if the named procedure in the current request is allowed and FALSE
if it is not allowed. You can also use this function to enforce access restrictions for Oracle Application Express on a per-Database Access Descriptor (DAD) basis.
During installation, the installer also creates a PL/SQL function in the Oracle
Application Express product schema
(APEX_190200
). To restrict access, you can
change and recompile this function. The source code for this
function is not wrapped and can be found in the Oracle
Application Express product core directory in the file named
wwv_flow_epg_include_local.sql
.
Oracle Application Express ships with a request validation function named wwv_flow_epg_include_modules.authorize
. This function specifies access restrictions appropriate for the standard DAD configured for Oracle Application Express.
The wwv_flow_epg_include_mod_local
function is called by Oracle Application Express's request validation function which itself is called by the embedded PL/SQL gateway or mod_plsql
. The Oracle Application Express function first evaluates the request and based on the procedure name, approves it, rejects it, or passes it to the local function, wwv_flow_epg_include_mod_local
, which can evaluate the request using its own rules.
When you create new DADs for use with Oracle Application Express, the request validation function directive should be specified. Specifically, the function wwv_flow_epg_include_modules.authorize
should be named in the directive PlsqlRequestValidationFunction
in the Database Access Descriptor entry in dads.conf
.
If you have no additional restrictions beyond those implemented in the wwv_flow_epg_include_modules.authorize
function, there is no need to take any action with respect to the source code for the wwv_flow_epg_include_mod_loca
l function.
3.5.2.9.2 About Changing and Recompiling wwv_flow_epg_include_local
You can change and recompile the wwv_flow_epg_include_local
function to restrict access.
The source code for the wwv_flow_epg_include_local
function is not wrapped and can be found in the Oracle Application Express product core directory in the file named wwv_flow_epg_include_local.sql
. The source code is as follows:
CREATE OR REPLACE FUNCTION wwv_flow_epg_include_mod_local( PROCEDURE_NAME IN VARCHAR2) RETURN BOOLEAN IS BEGIN RETURN FALSE; -- remove this statement when you add procedure names to the "IN" list IF UPPER(procedure_name) IN ( '') THEN RETURN TRUE; ELSE RETURN FALSE; END IF; END wwv_flow_epg_include_mod_local; /
3.5.2.9.3 Specifying Allowed Named Procedures
wwv_flow_epg_include_local
.
To specify names of procedures that should be allowed, edit wwv_flow_epg_include_local
as follows:
3.5.2.10 Managing Authorized URLs
Create and manage a list of authorized URLs.
Authorized URLs identify the list of URLs that can be used as parameter values of certain Oracle Application Express procedures. This includes the APEX_UTIL.COUNT_CLICK
procedure, which has an input parameter named P_NEXT_URL
.
If the parameter value to P_NEXT_URL
is not a relative URL and not to the current host name, then it must be contained in this list of Authorized URLs.
- Defining a List of Authorized URLs
Define a list of authorized URLs. - Editing a Defined Authorized URL
Edit a URL included in the list of authorized URLs. - Deleting Defined Authorized URL
Delete a URL included in the list of authorized URLs.
Parent topic: Configuring Security
3.5.2.10.1 Defining a List of Authorized URLs
Define a list of authorized URLs.
To define a list of Authorized URLs:
Parent topic: Managing Authorized URLs
3.5.2.10.2 Editing a Defined Authorized URL
Edit a URL included in the list of authorized URLs.
To edit an existing URL:
- Sign in to Oracle Application Express Administration Services.
- Click Manage Instance.
- Under Instance Settings, click Security.
- Click the Authorized URLs tab.
- Click the Edit icon adjacent to the URL.
- Edit the Authorized URL and Description fields.
- Click Apply Changes.
Parent topic: Managing Authorized URLs
3.5.2.10.3 Deleting Defined Authorized URL
Delete a URL included in the list of authorized URLs.
To delete a URL included in the list of authorized URLs:
- Sign in to Oracle Application Express Administration Services.
- Click Manage Instance.
- Under Instance Settings, click Security.
- Click the Authorized URLs tab.
- Click the Edit icon adjacent to the URL.
- Click Delete.
- Click OK to confirm your selection.
Parent topic: Managing Authorized URLs