Thursday, May 26, 2016

Please, use HTTPS for your APEX apps

Why use HTTPS?

When you Google this question you get many different answers, but this answer of Google Developers answers it for me in short (click the link for more details):
  • HTTPS protects the integrity of your website/APEX app
  • HTTPS protects the privacy and security of your users
  • HTTPS is the future of the web; many new technologies only work with https (for example Service Workers; you can read more about Service Workers and APEX in my presentation)
Industry going to HTTPS

Before websites had an HTTP portion and an HTTPS portion, which became active when you would login to the site, but nowadays everything is under HTTPS. Google will actually rank your site higher when it's using HTTPS. Look at the sites you visit; many of them will now use HTTPS as a default.

HTTPS on localhost

If you're developing locally, you don't really need HTTPS on localhost, but I still like to have that.
Here're the steps I did in Chrome on my Mac (OSX) to get the nice green lock when developing locally (works also with APEX Front-End Boost)
  • In the address bar, click the little lock with the X. This will bring up a small information screen. Click the button that says "Certificate Information."
  • Click and drag the certificate image to your desktop. 
  • Double-click it. This will bring up the Keychain Access utility. Enter your password to unlock it.
  • Be sure you add the certificate to the System keychain, NOT the login keychain. 
  • After it has been added, double-click it. 
  • Expand the "Trust" section. "When using this certificate," set to "Always Trust"
  • Close Keychain Access and restart Chrome, and your self-signed certificate should be recognized now by the browser.
HTTPS on your own server

For years I've been using SSL certificates ordered from Godaddy, but depending the certificate you get, it might not be that cheap. The APEX R&D website is a multi-site certificate - the same certificate is used for the APEX Office Print website.

But there's some good news... you can get SSL for free too (and it's very easy to do!), thanks to Letsencrypt. I used Letsencrypt to protect the APEX app/website for example.
Here's the Getting Started Guide from Let's Encrypt. This is the command I used (after installing the package):

./letsencrypt-auto certonly --webroot -w /var/www/euro2016 -d -d

If you're not yet on https with your APEX app/site, I would definitely recommend looking into it :)


ruepprich said...

Great post. I didn't know about letsencrypt. I'll definitely check it out.

Tim... said...

The chances are you are going to front your production application with a reverse proxy or load balancer (which provides reverse proxy functionality). When I say "reverse proxy" in the following sentences, I mean "reverse proxy or load balancer". In both cases, these can provide your SSL termination, so this gives you a couple of options.

1) Don't bother encrypting APEX. Interaction between the client and reverse proxy is encrypted, but internal communication between your reverse proxy and APEX is not encrypted. The reverse proxy is providing your SSL termination.

2) Encrypt APEX. Still do your main SSL termination at the reverse proxy, then re-encrypt so the internal comms between the reverse proxy and APEX is encrypted.

By choice, I would never make an app server publicly accessible. Your typical load balancer can cope with massive throughput of traffic. They usually have full proxy capabilities. What's more, they can help protect against attacks (including DDoS) in a number of ways. Exposing something like WebLogic, Tomcat to the world is a disaster waiting to happen. :)



Dimitri Gielis said...

Hi Tim,

Thanks for the comment and addition.

Maybe the title of the post is confusing; what I meant is make sure you do HTTPS regardless where you configure SSL when exposing your APEX apps. I didn't go into the architectural part and as you describe, you have choices there.
In fact my architecture for the sites I listed in the post all are fronted with an Apache Reverse proxy and some even with another load balancer. So it's Load Balancer (optional) - Apache Reverse Proxy - Tomcat/ORDS - DB :)
(see also

Thanks again,

Apex Work said...

This is an APEX based public website with green HTTPS bar.

Jeffrey Kemp said...

Great article.

A couple years ago I bought an SSL cert to protect my domain, and in order to use it I had to change all my subdomains (e.g. into paths underneath the main domain (e.g.

With LetsEncrypt, I can now serve all my clients on whatever domain they want - whether or or whatever.

Karen said...

Great post - thank you. Off to investigate LetsEncrypt...