Blog

Brotli, Vary: Accept-Encoding, and CORS: cache key explosion at the edge

When APIs negotiate compression, caches key responses by encoding and origin—misconfigured Vary breaks hit ratio.

Published: 2026-06-08Updated: 2026-06-101 min read

compressioncachingcors

Interactions

If you add Vary: Origin and Accept-Encoding, CDNs multiply cache variants—monitor byte hit rate.

Some browsers send different Accept-Encoding tokens—treat unknown tokens conservatively.

OPTIONS responses may be short; still set sensible Cache-Control for max-age on preflight where safe.

Avoid gzip and brotli on tiny OPTIONS bodies—empty responses are cheaper.