When upgrading from Spring Boot 3.1.* to Spring Boot 3.2.0 which includes Spring Security 6.2.0, a response of an endpoint provided by a @RestController class has multiple Vary headers if org.springframework.boot:spring-boot-starter-security is in class path.
Is this intended? We immediately noticed this change since our CDN Akamai does not cache responses with this header.
Comment From: bclozel
Please create an issue on the Spring Security project: https://github.com/spring-projects/spring-security/issues. Spring Framework does not write such headers.