diff --git a/lib/index.js b/lib/index.js
index 1fd4864..22c14f2 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -5,32 +5,23 @@
 
   'use strict';
 
-  var defaults = {
-    origin: '*',
-    methods: 'GET,HEAD,PUT,PATCH,POST,DELETE'
-  };
+  var vary = require('vary'),
+    defaults = {
+      origin: '*',
+      methods: 'GET,HEAD,PUT,PATCH,POST,DELETE'
+    };
 
   function configureOrigin(options, req) {
-    var origin = options.origin, header;
+    var origin = options.origin;
     if (origin === true) {
       origin = req.headers.origin;
     } else if (!origin) {
       origin = '*';
     }
-    header = {
+    return {
       key: 'Access-Control-Allow-Origin',
       value: origin
     };
-    if (origin !== '*') {
-      return [
-        {
-          key: 'Vary',
-          value: 'Origin'
-        },
-        header
-      ];
-    }
-    return header;
   }
 
   function configureMethods(options) {
@@ -107,6 +98,7 @@
               return applyHeaders(header, res);
             } else if (header.value) {
               if (res.set) {
+                // for Express 4+
                 res.set(header.key, header.value);
               } else {
                 // for Express <4
@@ -115,6 +107,9 @@
             }
           }
         });
+        if (res.get('Origin') !== '*') {
+          vary(res, 'Origin');
+        }
       };
 
     if (method === 'OPTIONS') {
diff --git a/package.json b/package.json
index c9d1721..869959d 100644
--- a/package.json
+++ b/package.json
@@ -1,41 +1,43 @@
 {
-    "name": "cors"
-  , "version": "2.5.0"
-  , "author": "Troy Goode <troygoode@gmail.com> (https://github.com/troygoode/)"
-  , "description": "middleware for dynamically or statically enabling CORS in express/connect applications"
-  , "keywords": ["cors", "express", "connect", "middleware"]
-  , "homepage": "https://github.com/troygoode/node-cors/"
-  , "repository": {
-      "type": "git"
-    , "url": "git://github.com/troygoode/node-cors.git"
-  }
-  , "contributors": [
+  "name": "cors",
+  "version": "2.5.1",
+  "author": "Troy Goode <troygoode@gmail.com> (https://github.com/troygoode/)",
+  "description": "middleware for dynamically or statically enabling CORS in express/connect applications",
+  "keywords": ["cors", "express", "connect", "middleware"],
+  "homepage": "https://github.com/troygoode/node-cors/",
+  "repository": {
+    "type": "git",
+    "url": "git://github.com/troygoode/node-cors.git"
+  },
+  "contributors": [
     {
-        "name": "Troy Goode"
-      , "email": "troygoode@gmail.com"
-      , "web": "https://github.com/troygoode/"
+      "name": "Troy Goode",
+      "email": "troygoode@gmail.com",
+      "web": "https://github.com/troygoode/"
     }
-  ]
-  , "licenses": [
+  ],
+  "licenses": [
     {"type": "MIT", "url": "http://www.opensource.org/licenses/mit-license.php"}
-  ]
-  , "bugs": {"url": "https://github.com/troygoode/node-cors/issues"}
-  , "main": "./lib/index.js"
-  , "engines": {
-      "node": ">=0.10.0"
-  }
-  , "dependencies": {}
-  , "devDependencies": {
-      "basic-auth-connect": "^1"
-    , "body-parser": "^1.4.3"
-    , "express": "^4"
-    , "lint": "^1.1.2"
-    , "mocha": "^1.18.2"
-    , "should": "^3.3.1"
-    , "supertest": "^0.12.0"
-  }
-  , "scripts": {
-      "test": "./node_modules/mocha/bin/mocha"
-    , "lint": "./node_modules/lint/bin/node-lint lib test"
+  ],
+  "bugs": {"url": "https://github.com/troygoode/node-cors/issues"},
+  "main": "./lib/index.js",
+  "engines": {
+    "node": ">=0.10.0"
+  },
+  "dependencies": {
+    "vary": "^1"
+  },
+  "devDependencies": {
+    "basic-auth-connect": "^1",
+    "body-parser": "^1.4.3",
+    "express": "^4",
+    "lint": "^1.1.2",
+    "mocha": "^1.18.2",
+    "should": "^3.3.1",
+    "supertest": "^0.12"
+  },
+  "scripts": {
+    "test": "./node_modules/mocha/bin/mocha",
+    "lint": "./node_modules/lint/bin/node-lint lib test"
   }
 }
diff --git a/test/cors.js b/test/cors.js
index 2d42747..046c812 100644
--- a/test/cors.js
+++ b/test/cors.js
@@ -35,6 +35,9 @@
         setHeader: function (key, value) {
           headers[key] = value;
           return;
+        },
+        get: function (key) {
+          return headers[key];
         }
       };
     };
@@ -208,7 +211,7 @@
         cors(options)(req, res, next);
       });
 
-      it('includes vary origin header for specific origins', function (done) {
+      it('includes Vary header for specific origins', function (done) {
         // arrange
         var req, res, next, options;
         options = {
@@ -226,6 +229,25 @@
         cors(options)(req, res, next);
       });
 
+      it('appends to an existing Vary header', function (done) {
+        // arrange
+        var req, res, next, options;
+        options = {
+          origin: 'example.com'
+        };
+        req = fakeRequest();
+        res = fakeResponse();
+        res.setHeader('Vary', 'Foo');
+        next = function () {
+          // assert
+          res.getHeader('Vary').should.equal('Foo, Origin');
+          done();
+        };
+
+        // act
+        cors(options)(req, res, next);
+      });
+
       it('origin defaults to *', function (done) {
         // arrange
         var req, res, next, options;