From b2014fdf4642ff0e853bf9a0b431ffc37e0852c5 Mon Sep 17 00:00:00 2001
From: Jason McNeil <sixcolors@mac.com>
Date: Tue, 26 Mar 2024 18:18:18 -0300
Subject: [PATCH] fix(middleware/cors): Add Vary header for non-CORS OPTIONS
 requests

---
 middleware/cors/cors.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/middleware/cors/cors.go b/middleware/cors/cors.go
index ea91594a70..4fe0eeebb4 100644
--- a/middleware/cors/cors.go
+++ b/middleware/cors/cors.go
@@ -182,6 +182,11 @@ func New(config ...Config) fiber.Handler {
 
 		// If it's a preflight request and doesn't have Access-Control-Request-Method header, it's outside the scope of CORS
 		if c.Method() == fiber.MethodOptions && c.Get(fiber.HeaderAccessControlRequestMethod) == "" {
+			// Response to OPTIONS request should not be cached but,
+			// some caching can be configured to cache such responses.
+			// To Avoid poisoning the cache, we include the Vary header
+			// for non-CORS OPTIONS requests:
+			c.Vary(fiber.HeaderOrigin)
 			return c.Next()
 		}