fix(middleware/cors): Add Vary header for non-CORS OPTIONS requests

gofiber · Mar 26, 2024 · b2014fd · b2014fd
1 parent 7b4a2aa
commit b2014fd
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/middleware/cors/cors.go b/middleware/cors/cors.go
@@ -182,6 +182,11 @@ func New(config ...Config) fiber.Handler {
 
 		// If it's a preflight request and doesn't have Access-Control-Request-Method header, it's outside the scope of CORS
 		if c.Method() == fiber.MethodOptions && c.Get(fiber.HeaderAccessControlRequestMethod) == "" {
+			// Response to OPTIONS request should not be cached but,
+			// some caching can be configured to cache such responses.
+			// To Avoid poisoning the cache, we include the Vary header
+			// for non-CORS OPTIONS requests:
+			c.Vary(fiber.HeaderOrigin)
 			return c.Next()
 		}