Blog

HTTP caching and Vary: Origin when APIs tailor Access-Control-Allow-Origin per caller

If responses differ by Origin, caches must include Vary: Origin or risk serving wrong CORS to another site.

Published: 2026-01-20Updated: 2026-01-221 min read

cachingvarycors

Safe defaults

For public JSON without credentials, a static * may avoid Vary entirely at the cost of reflection visibility.

Private caches in browsers still honor Vary—do not assume only intermediaries matter.

Fastly and similar support surrogate-key purges; tag releases that change CORS behavior.

Purge after emergency header fixes to avoid sticky bad objects at edge.