What version of Hono are you using?

4.10.1

What runtime/platform is your app running on? (with version if possible)

Cloudflare Workers (locally with wrangler dev, 4.43.0)

What steps can reproduce the bug?

Hi. I'm using the hono/cors middleware and also setting the Vary header to Accept for responses in my controller. I noticed that the actual server response is Vary: Origin instead.

After checking the source code I see that Hono checks the request vary header, and if that is not there, it will overwrite it on the response. Does it make sense that it should check the response vary header instead? New to the whole vary header, so I'm assuming it is not normal practice for a request from the client to include it. Or is there a reason for this, i.e. security?

Reproduction

I've created a minimal reproduction repository: https://github.com/Juuldamen/hono-vary-cors-issue. See the readme for test commands.

1. Run server that has a CORS middleware and a controller that returns a response with the Vary header that has a value different than Origin.
2. Send a HTTP request, for minimal repro: curl -i http://localhost:8787/test

What is the expected behavior?

The Vary header value on the HTTP response should include the values as set on the response in the controller. Preferably it should check if the value includes Origin and if not add it when the CORS middleware is used. To prevent issues with CORS if the developer forgets to add this to their Vary response value.

What do you see instead?

The Vary header value in the response only includes Origin. Unless the request includes the Vary header itself. Than the response will include the same Vary value as the request.

Additional information

As briefly discussed on Discord: https://discord.com/channels/1011308539819597844/1012485912409690122/1427417950037606421