diff --git a/src/wp-includes/rest-api.php b/src/wp-includes/rest-api.php
index 3e6f419f6b..b998cf7cda 100644
--- a/src/wp-includes/rest-api.php
+++ b/src/wp-includes/rest-api.php
@@ -589,6 +589,8 @@ function rest_send_cors_headers( $value ) {
 		header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
 		header( 'Access-Control-Allow-Credentials: true' );
 		header( 'Vary: Origin' );
+	} else if ( 'GET' === $_SERVER['REQUEST_METHOD'] && ! is_user_logged_in() ) {
+		header( 'Vary: Origin' );
 	}
 
 	return $value;