According to Firebase Hosting's document: https://firebase.google.com/docs/hosting/functions#when_is_cached_content_served
Firebase Hosting automatically ensures that an appropriate Vary header is set on your response for common situations. This includes making sure that any session cookie or authorization header that you're using is made part of the cache key, which prevents accidental leaks of content.
Firebase Hosting will automatically put "authorization" header into Vary.
However, some API does need to take the "Authorization" header and determine whether or not it needs to cache the response in Firebase Hosting.
May I know how can we make Firebase Hosting not to Vary on Authorisation header? Thanks.
[Note, I'm a Firebaser that worked on Hosting]
For a Firebase Function that is connected through Firebase Hosting, you cannot change the default Vary header that is returned. If the Function adds additional values to the Vary header, those will be included, but the defaults cannot be overridden.
[Edit with an idea...]
You might (and it’s a big might, I haven’t tried this) be able to call the Function’s endpoint directly rather than through Hosting if you really don’t want the Vary header to include Authorization. You would have to deal with CORS and related things, but you’d have more control over it.
Because the benefit of Hosting is that it’s behind a CDN, it needs a good (secure) way to cache the information, and Authorization is critical to that. If you want to handle some of that yourself, calling the Function directly may be the best bet.