// Module included in the following assemblies:
//
// * security/allowing-javascript-access-api-server.adoc

:_mod-docs-content-type: PROCEDURE
[id="auth-allowing-javascript-access-api-server_{context}"]
= Allowing JavaScript-based access to the API server from additional hosts

The default {product-title} configuration only allows the web console to send requests to the API server.

If you need to access the API server or OAuth server from a JavaScript
application using a different hostname, you can configure additional hostnames
to allow.

.Prerequisites

* Access to the cluster as a user with the `cluster-admin` role.

.Procedure

. Edit the `APIServer` resource:
+
[source,terminal]
----
$ oc edit apiserver.config.openshift.io cluster
----
+
. Add the `additionalCORSAllowedOrigins` field under the `spec` section and
specify one or more additional hostnames:
+
[source,yaml]
----
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
  annotations:
    release.openshift.io/create-only: "true"
  creationTimestamp: "2019-07-11T17:35:37Z"
  generation: 1
  name: cluster
  resourceVersion: "907"
  selfLink: /apis/config.openshift.io/v1/apiservers/cluster
  uid: 4b45a8dd-a402-11e9-91ec-0219944e0696
spec:
  additionalCORSAllowedOrigins:
  - (?i)//my\.subdomain\.domain\.com(:|\z) <1>
----
<1> The hostname is specified as a link:https://github.com/google/re2/wiki/Syntax[Golang regular expression] that matches
against CORS headers from HTTP requests against the API server and OAuth server.
+
[NOTE]
====
This example uses the following syntax:

* The `(?i)` makes it case-insensitive.
* The `//` pins to the beginning of the domain and matches the double slash
following `http:` or `https:`.
* The `\.` escapes dots in the domain name.
* The `(:|\z)` matches the end of the domain name `(\z)` or a port separator
`(:)`.
====

. Save the file to apply the changes.