Merge pull request #24571 from vespa-engine/mortent/prevent-api-cachingv8.74.15

Prevent browser API caching MERGEOK

2 files changed, 1 insertions, 2 deletions

diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java
index fd9c558f97b..e261f420e1c 100644
--- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java
@@ -22,7 +22,7 @@ class CorsLogic {
                     "Okta-Access-Token,Okta-Refresh-Token,Vespa-Csrf-Token",
             "Access-Control-Allow-Methods", "OPTIONS,GET,PUT,DELETE,POST,PATCH",
             "Access-Control-Allow-Credentials", "true",
-            "Vary", "Origin"
+            "Vary", "*"
     );
 
     static Map<String, String> createCorsResponseHeaders(String requestOriginHeader,
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/SecurityHeadersResponseFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/SecurityHeadersResponseFilter.java
index 0059fcf1d25..520e22de136 100644
--- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/SecurityHeadersResponseFilter.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/SecurityHeadersResponseFilter.java
@@ -20,6 +20,5 @@ public class SecurityHeadersResponseFilter implements SecurityResponseFilter {
         response.setHeader("X-Content-Type-Options", "nosniff");
         response.setHeader("X-Frame-Options", "DENY");
         response.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
-        response.setHeader("Vary", "*");
     }
 }