The `Vary: Cookie` header value breaks our caching. We are working around this with some nasty Nginx configs we would like to remove. We should make sure the application does not include `Vary: Cookie` in its responses. Note: We do need to include `Vary: Accept`, since DRF uses uses the Accept header.
To add some more detail: this only applies to cache-sensitive pages, and does not apply to pages that use authentication.
The PR below adds test that verifies that we don't send the problem headers. However, going through the code, I came to the conclusion that we have already fixed this bug. The Vary header is controlled by a middleware that is not included in ProductionReadOnly configs. We have removed the hacks in prod. https://github.com/mozilla/normandy/pull/263