• We should set the Vary header to Origin iff dynamically setting the origin (i.e. origin is an array, regex, or function)
• When setting the Vary header, make sure to append if there's already a value in res.headers['Vary'] and simply set if no value
• add test('does not include Vary header for static origins')

Resources that wish to enable themselves to be shared with multiple Origins but do not respond uniformly with "*" must in practice generate the Access-Control-Allow-Origin header dynamically in response to every request they wish to allow. As a consequence, authors of such resources should send a Vary: Origin HTTP header or provide other appropriate control directives to prevent caching of such responses, which may be inaccurate if re-used across-origins.

https://www.w3.org/TR/cors/#resource-implementation

If CORS protocol requirements are more complicated than setting Access-Control-Allow-Origin to "*" or a static origin, Vary is to be used.

https://fetch.spec.whatwg.org/#cors-protocol-and-http-caches