Can you use Oracle APEX to create public applications? How to ensure top-level security? What are the other factors to consider? In this article, I’ll provide answers to these questions based on my experience as the CEO of Pretius Low-Codeand Oracle ACE.

People who don’t know Oracle APEX very well tend to believe this technology is only appropriate for systems for internal use, and can’t be used for apps that need to be made available to a wider audience on the Internet. In reality, nothing could be further from the truth. 

During one of the recent keynotes, Oracle’s founder and CEO, Larry Ellison, said that APEX is a strategic platform that Oracle plans to use to create most of its new applications. They’ll also move their popular older products – based on Forms, Java, etc. – to APEX. This includes their SaaS offerings based on Oracle Cloud, which are used by many people all around the globe.

But Oracle is not alone – at Pretius Low-Code, we’ve also created a bunch of public Oracle APEX applications for our clients. And, in this article, I’ll address some security and privacy concerns to show you what you need to consider to build a secure, scalable, public APEX app yourself.

Large-scale public APEX applications

Let’s start with some well-known examples of large-scale, publicly available APEX applications – so you know I’m not making unfounded claims.

  • V-safe – during the COVID-19 pandemic, the US Center for Disease Control and Prevention (CDC) created the V-safe mobile app to monitor patients after vaccinations. The application was made in 63 days and published on Google Play and the Apple Store. It was mandatory in the US and had over 140 million users (1.4 million active daily)
  • Cerner (now Oracle Cerner) – Cerner Corporation is a US-based, multinational company that provides health information technology. Oracle acquired it in one of the largest takeovers of 2022 and now moves most of Cerner’s applications to APEX. The plan is to create a central repository of patient information, coupled with apps for patients and medical professionals 
  • MRHT SMAART Policy Manager – this is an example from our own experience. The cloud- and mobile-ready group policy management application we created for MRHT substantially reduced costs and improved ergonomy. It also allowed the company to change its business model to SaaS. You can read more about this case in another article: How a low-code framework helped Munich Re HealthTech build a data-driven SaaS application – in 4 months & across multiple countries
  • App for volunteer help management – another example from our experience is an application created to help Foundation Ukraine manage volunteers during the refugee crisis caused by Russia’s invasion of Ukraine in 2022. The solution had a visibly smaller scale than others presented here (though nearly 8000 volunteers used it), but it was made incredibly quickly – in just a couple of hours. Read more about it to learn how APEX development helped Ukrainian refugees 

There are many more examples. APEX is used by the ONZ (ILO), Ngena (Quicksizer), FamZoo (FamProperties), and various financial institutions and companies.

If you want to look for interesting APEX apps yourself, check out this community-driven Built With Apex website or search for the Oracle APEX framework at

Public APEX apps – things to consider

Now that I’ve proven that a public APEX app is entirely viable let’s look at some of the things you need to consider to make it work. Based on my experience, there are six key areas.


The first major security question you need to answer is whether you want a cloud solution or one hosted on-premise. Both options are viable with APEX but will require different approaches. You’ll then need to configure the database, network layer, web server and ORDS (certificates, F5, nginx, etc.) accordingly. For example, here is how we would build a secure app for a financial company (a similar scenario can be used in other cases):

  • APEX instance exposed outside the safe zone – i.e., APEX read-only mode
  • Web server and ORDS configuration allowing access only to designated sites/applications and calling limited DB functions
  • Application design including:
    • Exclusion of typical attacks (XSS, SQL Injection, URL Tampering) – built into APEX, supported by Advisor and external tools (e.g., APEX Sert, APEX Sec)
    • APEX validations at FE and base level. Use of dedicated PL/SQL packages, not wizards
    • Control of transferred files (size, type, viruses, sensitive data, XXE), additional NoRobot verification
    • One-way communication to the secure zone (e.g., every 5 minutes, new data is downloaded internally, verified again from the security side and deleted from the external application)
    • Additional event logging at the APEX and PL/SQL level
    • APEX session encryption, Error handling functions, Blocking the opening of additional windows, disabling Session Rejoin and IFrame support, etc.
  • Constant monitoring of the application (enabling logging and connecting it to detectors, deactivating debug in production)

It’s worth pointing out that APEX meets the criteria set by the OWASP Foundation (the Open Source Foundation for Application Security) in all ten key areas.


When it comes to performance, you should do a couple of things: 

  • Configure DB, ORDS and APEX properly – the basics are important. If you’re not sure how to do something, I advise you to check out APEX’s documentation
  • Watch for problems with code quality and APEX components – they can have dire consequences for your app’s performance. Pay special attention to plugins and wizards that generate code
  • Enable load balancing  – APEX supports load balancing, and you should make use of that – it’ll allow you to automate traffic distribution across a number of servers to reduce potential performance bottlenecks


While internal applications can have a basic UX and UI, public solutions are allowed less leeway. They not only need to work well but also look nice while doing so. 

For this reason, you need to give your application a shiny, modern look (company branding and image are also a factor here) and ensure the proper quality of its user interface and general user experience. APEX provides plenty of options concerning colors and themes, and you can achieve whatever you want with custom development.

Depending on the market and the app’s purpose, there are also language and accessibility considerations (options for users with color blindness, bad sight, etc.).

Finally, you may also want to employ the RWD/PWA (Responsive Web Development and Progressive Web Application) approaches in your app design. Both are possible in APEX.


In many cases, web apps created for public availability must also be visible in search engines – otherwise, wide adoption might become a problem. To achieve solid SEO optimization for your APEX app do the following:

  • Create a sitemap for your solution and make it available via an URL – this way, you let Google know you want it to index the application and show it in search results. Without a sitemap, crawling bots are likely to miss a lot of content within an APEX application
  • Ensure support for crawling bots – Make sure you’re not using any measures to prevent Google bots from crawling your website (disallowing Googlebot, etc.)
  • Take care of technical SEO optimization and provide SEO-optimized site content – Optimize the technical SEO aspects of your website. For example, make sure there’s only one version of the website available, remove unnecessary duplicate content (you can use canonical tags to mark duplicates you want to have), use HTTPS to protect sensitive user information, employe breadcrumb navigation, etc. Moreover, content (web pages, and especially articles) within the application should be optimized for specific phrases potential customers type in search engines

Legal aspects

Finally, there are also some legal aspects you need to remember that may not necessarily be an issue in the case of an internal app. For example:

  • Make sure you disclose complete versions of various statutes and regulations you adhere to so that users can read them (and accept, if it’s required) 
  • Provide your policy regarding cookies in a visible place
  • Inform the app’s users where and for how long their data will be stored and who will be responsible for it

Summary: APEX is perfect for public apps

After reading this article, you should no longer wonder whether public applications are feasible in APEX. In fact, hopefully, I managed to convince you that this feasibility isn’t even a real question. With its powerful feature set, top-level security and Oracle’s continued support, the platform is the perfect technology to create web apps designed for really big audiences. 

Are you looking for Oracle APEX experts?

Have the examples I provided here inspired you? If you want to create something spectacular with Oracle APEX and are looking for a team to make it happen, reach out to us at (or using the contact form below). We’ll gladly use our considerable knowledge and experience to your benefit. Expect our answer within 48 hours (preliminary consultations are always free).