diff --git a/alfa-server/src/main/resources/application.yml b/alfa-server/src/main/resources/application.yml
index fb56b3f6c3d86e266b804df9fe1b92b3132841b7..7e2109ed1ed9d0638cd233a78efcc2bfb7d32938 100644
--- a/alfa-server/src/main/resources/application.yml
+++ b/alfa-server/src/main/resources/application.yml
@@ -107,3 +107,5 @@ ozgcloud:
     search-template: /api/userProfiles/?searchBy={searchBy}
   dms:
     enabled: false
+  domain:
+    url-pattern: https://*.ozg-cloud.de
diff --git a/alfa-service/src/main/java/de/ozgcloud/alfa/SecurityConfiguration.java b/alfa-service/src/main/java/de/ozgcloud/alfa/SecurityConfiguration.java
index 6b087870a02467be4075bd09bfcb38dae0689c3e..c0036e2317eb30ded804e5196cc62c487b40bf63 100644
--- a/alfa-service/src/main/java/de/ozgcloud/alfa/SecurityConfiguration.java
+++ b/alfa-service/src/main/java/de/ozgcloud/alfa/SecurityConfiguration.java
@@ -29,6 +29,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -74,9 +75,10 @@ public class SecurityConfiguration {
 				.requestMatchers("/*").permitAll()
 				.anyRequest().denyAll());
 
-		http.oauth2ResourceServer(this::setOAuth2ResourceServer);
-		http.headers(headers -> headers.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN)));
-		http.addFilterBefore(downloadTokenFilter, UsernamePasswordAuthenticationFilter.class);
+		http.oauth2ResourceServer(this::setOAuth2ResourceServer)
+				.headers(headers -> headers.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN)))
+				.addFilterBefore(downloadTokenFilter, UsernamePasswordAuthenticationFilter.class)
+				.cors(Customizer.withDefaults());
 
 		return http.build();
 	}
diff --git a/alfa-service/src/main/java/de/ozgcloud/alfa/collaboration/OrganisationsEinheitController.java b/alfa-service/src/main/java/de/ozgcloud/alfa/collaboration/OrganisationsEinheitController.java
index 388dbd757bc6091527ad6c54a1c77c1358dfbe2a..911717902889dfc59197573842a89151a6792c83 100644
--- a/alfa-service/src/main/java/de/ozgcloud/alfa/collaboration/OrganisationsEinheitController.java
+++ b/alfa-service/src/main/java/de/ozgcloud/alfa/collaboration/OrganisationsEinheitController.java
@@ -28,6 +28,7 @@ import java.util.Optional;
 import org.springframework.hateoas.CollectionModel;
 import org.springframework.hateoas.EntityModel;
 import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -53,6 +54,7 @@ class OrganisationsEinheitController {
 		return ResponseEntity.of(Optional.of(service.getById(organisationsEinheitId)).map(assembler::toModel));
 	}
 
+	@CrossOrigin(originPatterns = "${ozgcloud.domain.url-pattern:https://*.ozg-cloud.de}")
 	@GetMapping(params = { SEARCH_BY_PARAM })
 	public CollectionModel<EntityModel<OrganisationsEinheitHeader>> search(@RequestParam String searchBy) {
 		return headerModelAssembler.toCollectionModel(service.searchOrganisationsEinheiten(searchBy).toList());