Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

5
  • 1
    So this control would only prevent the cache poisoning attacks. There would still be risk associated with accepting arbitrary origins for cross domain data access. Is my understanding correct? Commented Feb 23, 2017 at 7:58
  • @Shurmajee Yes! Commented Feb 23, 2017 at 14:28
  • "should therefore not be served from cache for any other origin" - does it mean that if my frontend app runs on a different domain, and the browser makes requests to this endpoint on the frontend app's behalf, the responses would not get cached? even if Cache-Control headers are set correctly? Commented Jun 22, 2019 at 17:35
  • 1
    @Arminius Would this attack not be mitigated by the proper cache-control directives? Commented Jul 19, 2019 at 16:08
  • This response isn't quite correct. Vary: Origin does not instruct caches not to cache responses. Rather, it instructs caches to make the request's Origin header (if any) part of the cache key. If the cache respects the Vary header (some, like Cloudflare do not), the cache will cache responses; it will simply add a new entry for the response to a request with an Origin header that the cache hasn't seen before (or has since forgotten). Commented Nov 13, 2022 at 22:00