CDN caching and CORS: Vary, surrogate keys, and pitfalls

When Access-Control-Allow-Origin echoes a specific origin, caches should include Vary: Origin.

Misconfigured caches can serve Site A’s allowed origin to Site B’s users—debug with curl from multiple Origins.

Purge by surrogate key when you rotate CORS policy globally.

Short TTLs on error responses prevent sticky bad states after misconfiguration.