There are three important Oracle APEX security measures:

  • Security in Oracle Apex Instance
  • Security settings in Workspace
  • Security in applications

Security in Oracle Application Express 1


Security in  Oracle Apex Instance 

The task of Oracle APEX environment admins n. You can also review  Oracle Application Express Application Builder User’s Guide, Understanding Administrator Security Best Practices for a better understanding. To further secure the environment, the admin should review the settings and run the appropriate APIs on the platform.

Settings feature

  • Enable SQL and PL / SQL access to Websheets
  • Disable an item that prevents WebSheet users from accessing database objects and the SQL tag.
  • Disable WebSheet items to prevent reporting in SQL and PL / SQL
  • Enable RESTful Services
  • Disable an item that allows users to create and modify RESTFul Web Services with SQL and PL / SQL running APEX Listener Release 2.0 or higher


  • Disable Workspace login: Define “Set to Yes” in TEST, PRD environments only as “Runtime Only” not complete installation
  • Permission to upload files: “Set to No” to prevent files from being uploaded by unknown users
  • Restrict IP access: You can comma-separate and import all types of IP ranges
  • Environment Proxy: Specify the proxy address used in external traffic
  • Specify HTTPS: Enable HTTPS for network connections Data is transferred encrypted
  • Disable access to RESTful: Disable if the user does not need to use it to convert reports to RESTful
  • Session Timeout: Specify the maximum user downtime that should lead to re-authentication and re-rewrite application-level settings.
  • General login control: Login delay settings in case of repeated mistakes in entering the password and specifying an internal proxy server.
  • Workspace Password Policies: Includes several settings to make it more difficult for all Workspace users to choose the password type, including developers and end-users.

Instance Organizations

  • Provide our own email services
  • Determine the amount of space to create a new workspace for developers
  • Determine the schemas used in the Workspace and determine the Tablespace for new schemas with encryption
  • SMPT protocol settings using SSL / TLS and database connection security version 11g and above.
  • Wallet definition for storing protected passwords for authentication as well as HTTPS requests
  • Workspace purge settings
  • For large installations where requests are intermittently requested for a new service or database resource constraints, Instance admins can define Purge settings by emailing the Workspace deactivation to the Workspace admin at intervals. If Workspace admins do not respond to the Instance admin that they want their Workspace to be active, their Workspace will be cleared. Clearing workspace means removing the space of all old and published applications that are used.

Workspace management

  • Assign Schema to Workspace
  • Multiple definitions of connections between schemas and workspaces
  • Managing Developers and End Users
  • Determine user access to schemas through Workspace and whether Workspace admin users are developers or end-users
  • Restrict users to parts of Application Builder components and lock some accounts.
  • Managing the availability of components
  • Change developer access in a Workspace to Application Builder, SQL Workshop, PL / SQL. For example, if you want users to only be able to create and execute database components, not to create applications, you must assign the correct schema and then configure the user attributes correctly.

Security settings in  Workspace

Workspace administrators have the task of applying various settings to the Workspace and ensuring that they create the appropriate level of security within their own Workspace. In Administration> Manage Service> Set Workspace Preferences, you can control login access. Especially for APEX end users, you can make settings related to the maximum number of errors when logging in and how long the user account is active. You can disable some Application Builder components, and you can also disable the RESTful service if needed.

 Security in applications

Application developers are responsible for developing application security. You should see  Oracle Application Express Application Builder User’s Guide, Managing Application Security for settings. In the application specifications, you can specify the proxy server which, if defined, will replace the settings at the instance level. You can also specify the settings for the longest session time and, if necessary, go to a specific URL, which replaces the settings at the instance level.

Proper Definition of Schema Authentication in an Application It is important that only dedicated users can access the applications. As a developer, you must specify that a page does not require authentication and is public. These pages should not contain sensitive and significant information. You must also define authorization access for the various components of the application. The use of appropriate permissions for sensitive pages and navigation control such as tabs, buttons, links in the pages that are accessed is very significant. You can also authorize processes, validations, and computations, and make sure that only licensed users use the stored information.

Session State Protection (SSP ) is one of the key security measures you can use to limit tampering. Some protections can be defined for pages, in-page items, and application-level items. Preventing URL tampering is possible for all components by defining SSP, and the only exceptions are the use of public pages and in-page items that are used by JavaScript as an item that is used as a parent in a cascading list of values. You can set the SSP as a wizard when creating the page or item, or manually.

As a developer, you need to take steps to make items more robust than passwords. The password item should not be stored in the Session or should be encrypted and restricted by SSP. Where available, You need to make sure that the items are HTML escaped. It is also recommended that you limit the characters who entered the items to prevent cross-site-scripting and other injection attacks. Report Region and Dynamics areas should also be escaped to prevent attacks.

As one of the best practices, you should use the Advisor in the Utilities section after completing the pages and application, which performs many types of checks and can provide security vulnerabilities. There are also third-party tools that more advanced examine your application and analyze and report the damage. There are currently two tools available for this purpose. APEXSec Security Tool  and eSERT.

About KSRA

The Kavian Scientific Research Association (KSRA) is a non-profit research organization to provide research / educational services in December 2013. The members of the community had formed a virtual group on the Viber social network. The core of the Kavian Scientific Association was formed with these members as founders. These individuals, led by Professor Siavosh Kaviani, decided to launch a scientific / research association with an emphasis on education.

KSRA research association, as a non-profit research firm, is committed to providing research services in the field of knowledge. The main beneficiaries of this association are public or private knowledge-based companies, students, researchers, researchers, professors, universities, and industrial and semi-industrial centers around the world.

Our main services are Based on Education for all Spectrum people in the world. We want to make an integration between research and education. We believe education is the main right of Human beings. So our services should be concentrated on inclusive education.

The KSRA team partners with local under-served communities around the world to improve the access to and quality of knowledge based on education, amplify and augment learning programs where they exist, and create new opportunities for e-learning where traditional education systems are lacking or non-existent.