Julian Reschke wrote:
You can already handle the case of content that's available
unauthenticated, but would potentially differ in case of being
authenticated by adding
Vary: Authorization
to a response.
According to section 14.8 of the HTTP 1.1 specification, the presence of
the Authorization header field implies that the response varies by
Authorization:
When a shared cache (see section 13.7) receives a request
containing an Authorization field, it MUST NOT return the
corresponding response as a reply to any other request, unless one
of the following specific exceptions holds:
[some exceptions in the presence of cache-control directives]
My understanding of this is that "Vary: Authorization" is effectively
implied for all HTTP responses.
