diff --git a/index.js b/index.js
index 1e12c01..1b1fca0 100644
--- a/index.js
+++ b/index.js
@@ -40,6 +40,10 @@ module.exports = function(settings) {
 
     if (origin === false) return;
 
+    if ((origin !== '*') && (typeof options.origin !== 'string')) {
+      this.set('Vary', [this.response.get('Vary'), 'Origin'].filter(function(element) {return element;}).join(', '));
+    }
+
     this.set('Access-Control-Allow-Origin', origin);
 
     /**
diff --git a/test/index.js b/test/index.js
index cf049d7..66fd554 100644
--- a/test/index.js
+++ b/test/index.js
@@ -129,6 +129,15 @@ describe('cors({ origin: true })', function() {
       });
   });
 
+  it('should set "Vary" to "Origin"', function(done) {
+    superagent.get('http://localhost:3000')
+      .set('Origin', 'example.org')
+      .end(function(response) {
+        chai.expect(response.get('Vary')).to.equal('Origin');
+        done();
+      });
+  });
+
 });
 
 describe('cors({ origin: false })', function() {
@@ -196,6 +205,15 @@ describe('cors({ origin: [function]})', function() {
       });
   });
 
+  it('should set "Vary" to "Origin"', function(done) {
+    superagent.get('http://localhost:3000')
+      .set('Origin', 'otherhost.com')
+      .end(function(response) {
+        chai.expect(response.get('Vary')).to.equal('Origin');
+        done();
+      });
+  });
+
 });
 
 describe('cors({ expose: "Acccept,Authorization" })', function() {