APEX’s Page Access Protection (PAP – For Pages) and Session State Protection (SSP – For Items) are excellent security tools to help prevent users from altering session values. What some people may not be aware of is that if you enable PAP for page it does not prevent users from altering the session state of items on that page. All it does is require that any items passed through that page via the URL require a checksum. Malicious users can still alter the item’s session state using AJAX or from other pages. Long story short, if you want to lock your application down you need to enable SSP for all required items.
APEX has a great tool to do this quickly for you rather than having to go into each page item. Shared Components / Session State Protection / Page / (click page number). You can now set the PAP and the SSP for all the page items.
If you do use PAP and SSP the following queries will help you do some quick validations to ensure all your security checks are in place
Pages without Page Access Protection
SELECT aap.application_id, aap.application_name, aap.page_id, aap.page_name FROM apex_application_pages aap WHERE LOWER (aap.page_access_protection) = 'unrestricted' AND aap.application_id = :app_id
Page items without Session State Protection
SELECT aapi.application_id, aapi.application_name, aapi.page_id, aapi.page_name, aapi.item_name FROM apex_application_page_items aapi WHERE aapi.application_id = :app_id AND LOWER (aapi.item_protection_level) = 'unrestricted'
Pages which have Page Access Protection, but have page items with no Session State Protection
This query helps identify pages which you think are locked down, but end users could set the session state of item values
SELECT aapi.application_id, aapi.application_name, aapi.page_id, aapi.page_name, aapi.item_name FROM apex_application_pages aap, apex_application_page_items aapi WHERE LOWER (aap.page_access_protection) != 'unrestricted' AND aap.application_id = :app_id AND aapi.application_id = aap.application_id AND aap.page_id = aapi.page_id AND LOWER (aapi.item_protection_level) = 'unrestricted'