What does the Vary header do?

Vary lists the request headers a cache must include in its cache key. If a response says Vary: Accept-Encoding, the cache stores a separate entry for each distinct Accept-Encoding value, so a gzip client never receives an identity-encoded body and vice versa.

Why is Vary: Cookie dangerous for caching?

Cookie values are nearly unique per user, so varying on Cookie creates a separate cache entry for almost every visitor. That destroys cache hit rates and effectively makes the response uncacheable on shared caches.

Should I send Vary: Accept-Encoding?

Yes, whenever you compress responses. It prevents a cache from serving a Brotli-encoded body to a client that only understands gzip or identity. Most CDNs add it automatically for compressed content.

Vary: * tells caches the response varies on factors not captured by request headers, making it effectively uncacheable by shared caches. Use it only when negotiation depends on something outside the request headers.

Does this tool make any request?

No. It is a static, browser-rendered reference. It performs no network calls and stores nothing.

HTTP Vary Header Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

The header that decides what your cache stores

Vary is the single most misunderstood caching header. It tells every cache — the browser, a CDN, a reverse proxy — which request headers must be part of the cache key. Get it right and content negotiation works through caches; get it wrong and you either serve the wrong variant or shred your hit rate. This reference rates the common Vary field names by safety and cache impact.

How it works

When a response includes Vary, a cache stores one entry per distinct combination of the listed request-header values:

Vary: Accept-Encoding, Accept-Language

A request only matches a stored entry if its values for those headers match. So varying on Accept-Encoding keeps gzip and Brotli bodies separate (correct), while varying on Cookie or User-Agent fragments the cache into near-unique entries (harmful). CDNs often normalise values — collapsing dozens of Accept-Encoding strings down to gzip/br/identity — to keep the key small.

Tips and pitfalls

Always Vary: Accept-Encoding for compressed responses.
Avoid Vary: Cookie and Vary: User-Agent on cacheable assets — they bust caches.
Vary: Origin is needed for CORS responses cached across origins.
Vary: * makes a response uncacheable by shared caches — use sparingly.
Keep the list minimal; every extra field multiplies the number of stored variants.