fix(middleware/cors): Vary header handling non-cors OPTIONS requests (#…

…2939) * fix(middleware/cors): Vary header handling non-cors OPTIONS requests * chore(middleware/cors): Add Vary header for non-CORS OPTIONS requests comment
gofiber · Mar 26, 2024 · a6f4c13 · a6f4c13
1 parent e574c0d
commit a6f4c13
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/middleware/cors/cors.go b/middleware/cors/cors.go
@@ -175,6 +175,11 @@ func New(config ...Config) fiber.Handler {
 
 		// If it's a preflight request and doesn't have Access-Control-Request-Method header, it's outside the scope of CORS
 		if c.Method() == fiber.MethodOptions && c.Get(fiber.HeaderAccessControlRequestMethod) == "" {
+			// Response to OPTIONS request should not be cached but,
+			// some caching can be configured to cache such responses.
+			// To Avoid poisoning the cache, we include the Vary header
+			// for non-CORS OPTIONS requests:
+			c.Vary(fiber.HeaderOrigin)
 			return c.Next()
 		}