Oracle Application Express provides a number of security features to harden application development and runtime security. Administrators can configure both the Application Express instance and related applications to require the HTTPS protocol which utilizes Secure Socket Layer (SSL). They can also define password complexity rules and reuse policies.
Application developers can enable Session State Protection which incorporates checksums within the URL to prevent tampering and unauthorized access. They can also ensure that only necessary data is saved in session state and whenever that information is sensitive (for example, SSN), the value can be encrypted so that it cannot be read outside of the application.
 | Authentication is used to determine if a user is allowed to access an application. Unless an application is public, where no authentication is required, end users must specify a username and password to gain access. Oracle Application Express provides a number of built-in authentication schemes including:
- Oracle Application Express Managed Users
- Single Sign On
- Database Account Credentials
- Custom schemes
Custom schemes can also be used that interface with just about any authentication service including Microsoft Active Directory and Oracle Applications. |
 | Authorization schemes are used within Application Express to control the rendering and processing of components based on user privileges. You apply authorization to an entire application, or selectively to pages, or page components such as tabs, regions, buttons, items, validations, processes, and so on. Authorization schemes either succeed or fail. Only if the associated authorization scheme succeeds will a user be able to see or use the component. |