diff --git a/internal/server/security.go b/internal/server/security.go
index 60c7d41d6..166501893 100644
--- a/internal/server/security.go
+++ b/internal/server/security.go
@@ -18,6 +18,9 @@ var Security = func(conf *config.Config) gin.HandlerFunc {
 			return
 		}
 
+		// Set vary header.
+		c.Header(header.Vary, header.DefaultVary)
+
 		// If permitted, set CORS headers (Cross-Origin Resource Sharing).
 		// See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
 		if origin := conf.CORSOrigin(); origin != "" {
diff --git a/pkg/header/content.go b/pkg/header/content.go
index bb2d80043..1bf05be7d 100644
--- a/pkg/header/content.go
+++ b/pkg/header/content.go
@@ -1,7 +1,11 @@
 package header
 
+import "strings"
+
+// Content header names.
 const (
 	Accept             = "Accept"
+	AcceptEncoding     = "Accept-Encoding"
 	AcceptRanges       = "Accept-Ranges"
 	ContentType        = "Content-Type"
 	ContentTypeForm    = "application/x-www-form-urlencoded"
@@ -13,3 +17,9 @@ const (
 	Origin             = "Origin"
 	Vary               = "Vary"
 )
+
+// Content header defaults.
+var (
+	DefaultVaryHeaders = []string{XAuthToken, AcceptEncoding}
+	DefaultVary        = strings.Join(DefaultVaryHeaders, ", ")
+)