From 33a09d7db05e8b35acd4c8a247ecbdb72ef704b2 Mon Sep 17 00:00:00 2001
From: Vansh Sharma <s.vansh1811@gmail.com>
Date: Mon, 30 Mar 2026 11:02:30 +0530
Subject: [PATCH] fix: do not set Vary: Origin for static string origin option

When origin option is a static string, the Access-Control-Allow-Origin
response is always the same value regardless of the request's Origin header.
Per the Fetch spec, Vary: Origin must NOT be set in this case, as it would
unnecessarily increase cache size without any benefit.

Fixes #332
---
 lib/index.js | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/lib/index.js b/lib/index.js
index ad899ca..f89316b 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -1,5 +1,4 @@
 (function () {
-
   'use strict';
 
   var assign = require('object-assign');
@@ -45,15 +44,12 @@
         value: '*'
       }]);
     } else if (isString(options.origin)) {
-      // fixed origin
+      // fixed origin: response is always the same regardless of request Origin,
+      // so Vary: Origin must NOT be set (per fetch spec, see issue #332)
       headers.push([{
         key: 'Access-Control-Allow-Origin',
         value: options.origin
       }]);
-      headers.push([{
-        key: 'Vary',
-        value: 'Origin'
-      }]);
     } else {
       isAllowed = isOriginAllowed(requestOrigin, options.origin);
       // reflect origin
@@ -66,7 +62,6 @@
         value: 'Origin'
       }]);
     }
-
     return headers;
   }
 
@@ -94,7 +89,6 @@
   function configureAllowedHeaders(options, req) {
     var allowedHeaders = options.allowedHeaders || options.headers;
     var headers = [];
-
     if (!allowedHeaders) {
       allowedHeaders = req.headers['access-control-request-headers']; // .headers wasn't specified, so reflect the request headers
       headers.push([{
@@ -110,7 +104,6 @@
         value: allowedHeaders
       }]);
     }
-
     return headers;
   }