Blog

Varnish VCL: CORS headers in vcl_backend_response, saint mode, and caching OPTIONS responses safely

Caching `OPTIONS` is risky—prefer short TTLs or pass-through unless preflight responses are identical for all origins.

Published: 2028-05-20Updated: 2028-05-221 min read

varnishcachecors

Edge side includes

ESI fragments can compose pages with mixed origins—validate CORS on each fragment URL.

Purging related keys after CORS policy changes requires automation scripts.

Two-tier Varnish setups can cache stale CORS—purge both tiers on policy updates.