diff --git a/lib/index.js b/lib/index.js
index ad899ca..e52329b 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -218,6 +218,9 @@
           if (originCallback) {
             originCallback(req.headers.origin, function (err2, origin) {
               if (err2 || !origin) {
+                // Set Vary: Origin even when the origin is not allowed,
+                // since the response depends on the Origin request header
+                vary(res, 'Origin');
                 next(err2);
               } else {
                 corsOptions.origin = origin;
diff --git a/test/test.js b/test/test.js
index 34ddb41..1125929 100644
--- a/test/test.js
+++ b/test/test.js
@@ -360,6 +360,7 @@ var util = require('util')
           assert.equal(res.getHeader('Access-Control-Allow-Headers'), undefined)
           assert.equal(res.getHeader('Access-Control-Allow-Credentials'), undefined)
           assert.equal(res.getHeader('Access-Control-Max-Age'), undefined)
+          assert.equal(res.getHeader('Vary'), 'Origin')
           done();
         };
 
@@ -393,6 +394,7 @@ var util = require('util')
           assert.equal(res.getHeader('Access-Control-Allow-Headers'), undefined)
           assert.equal(res.getHeader('Access-Control-Allow-Credentials'), undefined)
           assert.equal(res.getHeader('Access-Control-Max-Age'), undefined)
+          assert.equal(res.getHeader('Vary'), 'Origin')
           done();
         };