Security Before Go-Live
Before deploying an APEX application to production, review this checklist of security settings and practices. APEX is secure by default in many areas, but application-level configuration decisions can introduce vulnerabilities if not handled properly.
Authentication
Ensure your authentication scheme is appropriate for the environment. For internal applications, use the APEX built-in authentication or integrate with your corporate directory (LDAP/Active Directory). For public-facing applications, consider Social Sign-In or custom authentication with strong password policies. Never deploy with the default “No Authentication” scheme in production.
Session Management
Set the Maximum Session Length and Maximum Session Idle Time in the application’s Security Attributes. For sensitive applications, set idle timeout to 15 to 30 minutes. Enable Session State Protection, which adds checksums to URLs to prevent parameter tampering. Set it to “Enabled” and mark sensitive items as “Restricted” or “Checksum Required.”
Authorization
Apply authorization schemes to every page, not just the sensitive ones. Create a default authorization scheme in the application’s Security Attributes so that new pages are protected by default. Review navigation menu entries to ensure they are filtered by authorization. Test by logging in as different user roles.
SQL Injection Prevention
Use bind variables (:P10_ITEM) in all SQL. Never use substitution strings (&P10_ITEM.) in SQL or PL/SQL. If you must use dynamic SQL, validate identifiers with DBMS_ASSERT. Review all “PL/SQL Function Body Returning SQL Query” regions to ensure they are not concatenating user input into the SQL string.
Cross-Site Scripting (XSS)
Set the “Escape special characters” property to Yes on all report columns and display items unless you specifically need HTML rendering. For items that must display HTML, sanitize the content server-side using APEX_ESCAPE.HTML or HTF.ESCAPE_SC. Review any regions that use “Display As” set to “HTML” to ensure the source is trusted.
Data Access Controls
Review the parsing schema and ensure it has only the minimum required privileges. Do not use SYS or SYSTEM as the parsing schema. Use database views or VPD policies to limit data visibility. Remove or disable sample data and demo pages before deployment.
HTTPS and Headers
Enforce HTTPS for all traffic. In the APEX instance administration, set the HTTP Protocol to HTTPS Only. Configure ORDS or the web server to add security headers: Content-Security-Policy, X-Frame-Options (to prevent clickjacking), X-Content-Type-Options, and Strict-Transport-Security.
Final Review
Run the APEX Advisor (Utilities menu) which scans your application for common security issues, accessibility problems, and best practice violations. Address all security-related findings before deployment. Schedule periodic re-runs after major changes.