# Subdomain allowlist By default, Clerk supports [authentication across subdomains](https://clerk.com/docs/guides/development/deployment/production.md#authentication-across-subdomains). When you configure a root domain for production, your application and the [Frontend API](https://clerk.com/docs/reference/frontend-api){{ target: '_blank' }} (FAPI) can communicate across all subdomains of that domain. To enable this, FAPI accepts cross-origin requests from **any** subdomain of your root domain. While this enables broad subdomain support, it increases exposure to potential security risks. If an attacker compromises one of your subdomains (e.g., `app.example.com`), they may be able to leverage that access to compromise authentication flows on your primary application domain (e.g., `example.com`). For this reason, it is strongly recommended to enable **Allowed Subdomains** in production environments. Unless your application requires wildcard subdomain access, you should explicitly allowlist only the subdomains your application needs. When **Allowed Subdomains** is enabled, only your primary domain and explicitly allowlisted subdomains can make cross-origin requests to FAPI. All other subdomains are rejected. ## Configure allowed subdomains 1. In the Clerk Dashboard, navigate to the [**Allowed Subdomains**](https://dashboard.clerk.com/~/domains/allowed-subdomains) page. 2. Toggle on **Enable allowed subdomains**. This restricts access to specific subdomains of your configured domains. 3. Under **Allowed Subdomains**, enter each subdomain that belongs to your primary domain (e.g. `app.example.com` for primary domain `example.com`). Only these subdomains will be allowed to make cross-origin requests to the FAPI. Your primary domain is always allowed. 4. Save your changes. After enabling this setting, FAPI will reject cross-origin requests from any subdomain that is not on the allowlist. Disabling **Enable allowed subdomains** restores wildcard access across all subdomains of your primary domain, which increases your exposure to subdomain-based attacks. --- ## Sitemap [Overview of all docs pages](https://clerk.com/docs/llms.txt)