The `Vary: Accept-Encoding` response header should always be produced if the request goes through the CompressionHandler

[joakime]

Jetty version(s)
12.1.4

Jetty Environment
Any

HTTP version
Any

Java version/vendor (use: java -version)
Any

OS type/version
Any

Description

If a request reaches the CompressionHandler the response should always contain a Vary: Accept-Encoding header.
This is true even if the client does not include an Accept-Encoding header.
This header is used by caching layers to know how to cache the resource, if it can vary, then this header is required.

This is a behavior change in 12.1.x from 12.0.x and the GzipHandler as well (in 12.0.x, the GzipHandler always produced a Vary header)

If we look at existing services, we can verify this behavior as well.

Example, requesting a script resource from developer.mozilla.org without an accept-encoding header...

$ curl --no-progress-meter -v -o /dev/null https://developer.mozilla.org/static/client/8903.3b8e2acd32393bf2.js
* Host developer.mozilla.org:443 was resolved.
> GET /static/client/8903.3b8e2acd32393bf2.js HTTP/2
> Host: developer.mozilla.org
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/2 200 
< x-guploader-uploadid: AOCedOHmL--i1TgXIxSYcWH3o6tZsy96MG8AuuQ7ay6rnEKqNVobNuCnr8BQY0qRIRYjl4k
< x-goog-generation: 1764724292540543
< x-goog-metageneration: 1
< x-goog-stored-content-encoding: identity
< x-goog-stored-content-length: 55309
< x-goog-hash: crc32c=qIVr7Q==, md5=SyM3l0NaKLiH6KDJDc2hVg==
< x-goog-storage-class: STANDARD
< accept-ranges: bytes
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
< alt-svc: clear
< referrer-policy: strict-origin-when-cross-origin
< x-content-type-options: nosniff
< strict-transport-security: max-age=63072000
< x-frame-options: DENY
< origin-trial: AxVILwizhbMjxFeHOn1P3R8niO1RJY/smaK4B4d1rLzc1gTaxtXMSaTi+FoigYgCw40uFRDwFcEAeqDR+vVLOW4AAABfeyJvcmlnaW4iOiJodHRwczovL2RldmVsb3Blci5tb3ppbGxhLm9yZyIsImZlYXR1cmUiOiJQcml2YXRlQXR0cmlidXRpb25WMiIsImV4cGlyeSI6MTc0MjA3OTYwMH0=
< x-cloud-trace-context: 781b2f3fc96f3769bdf5015a415ec183
< server: Google Frontend
< content-length: 55309
< via: 1.1 google
< date: Wed, 03 Dec 2025 01:22:39 GMT
< expires: Wed, 03 Dec 2025 02:19:46 GMT
< cache-control: public, max-age=31536000
< age: 156747
< last-modified: Wed, 03 Dec 2025 01:11:32 GMT
< etag: "4b233797435a28b887e8a0c90dcda156"
< content-type: text/javascript
< vary: Accept-Encoding
< x-cache: hit

It produces an vary: accept-encoding header, even if the incoming request wouldn't allow compression.