Oracle Application Express provides a number of security features to harden application development and runtime security. Administrators can configure both the Application Express instance and related applications to require the HTTPS protocol which utilizes Secure Socket Layer (SSL). They can also define password complexity rules and reuse policies.

Application developers can enable Session State Protection which incorporates checksums within the URL to prevent tampering and unauthorized access. They can also ensure that only necessary data is saved in session state and whenever that information is sensitive (for example, SSN), the value can be encrypted so that it cannot be read outside of the application.

Authentication is used to determine if a user is allowed to access an application. Unless an application is public, where no authentication is required, end users must specify a username and password to gain access. Oracle Application Express provides a number of built-in authentication schemes including:

  • Oracle Application Express Managed Users
  • Single Sign On
  • Database Account Credentials
  • Custom schemes

Custom schemes can also be used that interface with just about any authentication service including Microsoft Active Directory and Oracle Applications.

Authorization schemes are used within Application Express to control the rendering and processing of components based on user privileges. You apply authorization to an entire application, or selectively to pages, or page components such as tabs, regions, buttons, items, validations, processes, and so on. Authorization schemes either succeed or fail. Only if the associated authorization scheme succeeds will a user be able to see or use the component.

Application Express Accounts


Workspace administrators can create new user accounts, manage existing user accounts, and change user passwords. User accounts can be workspace administrators, workspace developers, or end users. Development privileges are defined using Oracle Application Express user accounts however Oracle Application Express applications can be run using external authentication methods. Oracle Application Express user accounts can be locked and support password expiration and password complexity, as well as other rules.

Session Timeout


Instance Administrators can define maximum session length and maximum idle time for Application Express developers. Similarly, developers can define maximum session length and idle time for each application which moderates access by end-users.

Runtime Only Installation


For testing and production instances, Oracle Application Express supports the ability to install just a runtime version. This minimizes the installed footprint and privileges. It also improves your application consistency because in a runtime instance developers cannot inadvertently update any application source.

Secure Coding

Cross Site Scripting

Cross site-scripting (also referred to as XSS) is a security breach that takes advantage of dynamically generated Web pages. In a XSS attack, a Web application is sent a script that activates when it is read by a user's browser. Once activated, these scripts can steal data, even session credentials, and return the information to the attacker. If malicious code were introduced into an Oracle Application Express application, it could be rendered into HTML regions and other places within the application during normal page rendering. To learn more about potential vulnerabilities and secure coding practices to minimize such risks, see online Help.

SQL Injection

SQL Injection enables input from an application to flow into a SQL statement, effectively altering the SQL statement. A very effective method to ensure SQL statements are protected from SQL injection is to use bind variables. Oracle Application Express supports the use of bind variables in all SQL and PL/SQL statements. To build a secure application all dynamic SQL needs to ensure that no end user input can be injected into the SQL statement.

Protecting Session State

Session State Protection is built-in functionality that prevents hackers from tampering with the URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy. Enabling Session State Protection is a two-step process. First, you enable the feature. Second, you set page and item security attributes.