diff --git a/src/server/cors.js b/src/server/cors.js
index 2f0bd74..eda605d 100644
--- a/src/server/cors.js
+++ b/src/server/cors.js
@@ -11,4 +11,17 @@ export function applyCORSHeaders(req, res) {
     res.setHeader("Access-Control-Allow-Methods", "*");
     res.setHeader("Access-Control-Allow-Headers", "*");
   }
+
+  // Add "Origin" to the `Vary` header, so caches know that the incoming Origin
+  // header can change the response (specifically, the CORS response headers).
+  //
+  // NOTE: In this app, I don't expect "Vary: *" to ever be set. But we try to
+  // be robust about it, just in case! (Adding instead of overwriting *does*
+  // matter for the GraphQL endpoint, which sets "Vary: Accept-Encoding".)
+  const varyContent = res.getHeader("Vary");
+  if (varyContent !== "*") {
+    const varyValues = varyContent ? varyContent.split(/,\s*/) : [];
+    varyValues.push("Origin");
+    res.setHeader("Vary", varyValues.join(", "));
+  }
 }