The Token Binding HTTP spec (https://datatracker.ietf.org/doc/draft-ietf-tokbind-https/) says that the Sec-Token-Binding header may be included in the Vary header. Actually implementing this is somewhat ridiculous, as checking whether the Sec-Token-Binding header for a request matches a cached entry first requires binding the request to a connection.

To stay compliant with the HTTPSTB spec, another option is to treat "Vary: Sec-Token-Binding" as "Cache-Control: no-cache". This bug is to track progress on either bringing the Token Binding implementation in line with HTTPSTB w.r.t. Vary (likely by not caching any response that includes Sec-Token-Binding in the Vary header), or to document how our implementation deviates from the spec.