Explain Vary Header and CORS exploitation.

831    Asked by asutos_8102 in Web-development , Asked on Oct 17, 2022

I saw PortSwigger's blog post discussing the security risks associated with CORS mis-configurations.


The blog talks about insecure ways of enabling CORS which can allow malicious web sites to read data from a target site. Towards the end, the blog talks about a prevention mechanism involving the Vary: Origin header:

If you take a look at the 'Implementation Considerations' section in the CORS specification, you'll notice that it instructs developers to specify the 'Vary: Origin' HTTP header whenever Access-Control-Allow-Origin headers are dynamically generated.

I am having a hard time understanding how exactly the Vary header helps prevent CORS exploitation in a scenario where the Access-Control-Allow-Origin header is dynamically generated.

Answered by Gillian Hamer

It's important to include the Vary header to prevent caching. The header indicates that the response is in some way dependent on the origin and should therefore not be served from cache for any other origin. If the header is missing, cache poisoning attacks might be possible as explained in the article by the example of XSS via a reflected custom header. A missing Vary header doesn't create a vulnerability on its own.

Your Answer


Parent Categories