3.4.2 Configuring HTTP Protocol Attributes

Determine HTTPS requirements for an Oracle Application Express instance and all related applications.

Note:

Require HTTPS make Oracle Application Express unreachable by the HTTP protocol. Before enabling this setting, ensure that the HTTPS protocol is enabled and configured correctly on your server.

• About SSL
  Secure Sockets Layer (SSL) is a protocol for managing the security of data transmitted on the Internet. For web applications, SSL is implemented by using the HTTPS protocol. Oracle recommends running Oracle Application Express applications using SSL (HTTPS protocol) to prevent any sensitive data from being sent over an unencrypted (cleartext) communication channel.
• Requiring HTTPS
  Configure both the Oracle Application Express instance and all related applications to require HTTPS by configuring the Require HTTPS and Require Outbound HTTPS attributes.
• Reversing Require HTTPS
  If you enable Require HTTPS, an Instance administrator can disable it by running the following SQL statements.
• Reversing Require Outbound HTTPS
  If you enable Require Outbound HTTPS, an Instance administrator can disable it by running the following SQL statements.
• Configuring Additional Response Headers
  Enter additional HTTP response headers that Oracle Application Express should send on each request, for all applications.

3.4.2.1 About SSL

Secure Sockets Layer (SSL) is a protocol for managing the security of data transmitted on the Internet. For web applications, SSL is implemented by using the HTTPS protocol. Oracle recommends running Oracle Application Express applications using SSL (HTTPS protocol) to prevent any sensitive data from being sent over an unencrypted (cleartext) communication channel.

3.4.2.2 Requiring HTTPS

Configure both the Oracle Application Express instance and all related applications to require HTTPS by configuring the Require HTTPS and Require Outbound HTTPS attributes.

Important:

If you enable Require HTTPS makes Oracle Application Express unreachable by the HTTP protocol. Before enabling this setting, ensure that the HTTPS protocol is enabled and configured correctly on your server.

To require HTTPS in Oracle Application Express:

1. Sign in to Oracle Application Express Administration Services.
2. Click Manage Instance.
3. Under Instance Settings, click Security.
4. Under HTTP Protocol, configure the following:
   1. Require HTTPS:

      • Always - Enforces HTTPS for all applications (including the Oracle Application Express development and administration applications) to require HTTPS.

        If set to Always, the Strict-Transport-Security Max Age attribute displays. Use this field to specify the time period in seconds during which the browser shall access the server with HTTPS only. To learn more, see field-level Help.

      • Development and Administration - Forces all internal applications within Oracle Application Express (that is, App Builder, SQL Workshop, Administration Servies and so on) to require HTTPS.

      • Application specific - Makes HTTPS dependent on application-level settings.

   2. Require Outbound HTTPS - Select Yes to require all outbound traffic from an Application Express instance to use the HTTPS protocol.
   3. HTTP Response Headers - Enter additional HTTP response headers that Oracle Application Express should send on each request for all applications. Developers can specify additional headers at application-level. Each header has to start on a new line. Note that support for various headers differs between browsers. To learn more, see field-level Help.
5. Click Apply Changes.

3.4.2.3 Reversing Require HTTPS

If you enable Require HTTPS, an Instance administrator can disable it by running the following SQL statements.

To reverse Require HTTPS:

1. Connect in SQL*Plus or SQL Developer with the Application Express engine schema as the current schema, for example:

   • On Windows:

     SYSTEM_DRIVE:\ sqlplus /nolog
     SQL> CONNECT SYS as SYSDBA
     Enter password: SYS_password
     

   • On UNIX and Linux:

     $ sqlplus /nolog
     SQL> CONNECT SYS as SYSDBA
     Enter password: SYS_password
     

2. Run the following statement:

   ALTER SESSION SET CURRENT_SCHEMA = APEX_210200;
   

3. Run the following statement:

   BEGIN
       APEX_INSTANCE_ADMIN.SET_PARAMETER('REQUIRE_HTTPS', 'N');
       commit;
   end;
   /
   

3.4.2.4 Reversing Require Outbound HTTPS

If you enable Require Outbound HTTPS, an Instance administrator can disable it by running the following SQL statements.

To reverse Require Outbound HTTPS:

1. Connect in SQL*Plus or SQL Developer with the Application Express engine schema as the current schema, for example:

   • On Windows:

     SYSTEM_DRIVE:\ sqlplus /nolog
     SQL> CONNECT SYS as SYSDBA
     Enter password: SYS_password
     

   • On UNIX and Linux:

     $ sqlplus /nolog
     SQL> CONNECT SYS as SYSDBA
     Enter password: SYS_password
     

2. Run the following statement:

   ALTER SESSION SET CURRENT_SCHEMA = APEX_210200;
   

3. Run the following statement:

   BEGIN
       APEX_INSTANCE_ADMIN.SET_PARAMETER('REQUIRE_OUT_HTTPS', 'N');
       commit;
   end;
   /
   

3.4.2.5 Configuring Additional Response Headers

Enter additional HTTP response headers that Oracle Application Express should send on each request, for all applications.

To configure additional response headers:

1. Sign in to Oracle Application Express Administration Services.
2. Click Manage Instance.
3. Under Instance Settings, click Security.
4. Locate HTTP Protocol.
5. In HTTP Response Headers, enter additional HTTP response headers that Oracle Application Express should send on each request for all applications.

   Developers can specify additional headers at application-level. Each header has to start on a new line. Support for various headers differs between browsers.

   One important security related header is Content-Security-Policy. Sending this header can significantly reduce the risk of cross site scripting (XSS) and related attacks. To learn more, see field-level Help.

6. Click Apply Changes.