diff --git a/CHANGELOG.md b/CHANGELOG.md
index bfae45f1..f1e8d9c8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,10 +26,14 @@ and this project adheres to
 
 ### Fixed
 
+- The `Vary` header is now added along with `Access-Control-Allow-Origin` to
+  prevent cache-related and other issues in browsers ([#2658]).
+  domain, but with an HTTP scheme as opposed to `*` ([#2484]).
 - The request body size limit is now set for HTTPS requests as well.
 - Incorrect version tag in the Docker release ([#2663]).
 - DNSCrypt queries weren't marked as such in logs ([#2662]).
 
+[#2658]: https://github.com/AdguardTeam/AdGuardHome/issues/2658
 [#2662]: https://github.com/AdguardTeam/AdGuardHome/issues/2662
 [#2663]: https://github.com/AdguardTeam/AdGuardHome/issues/2663
 [#2664]: https://github.com/AdguardTeam/AdGuardHome/issues/2664
diff --git a/internal/home/control.go b/internal/home/control.go
index 71bf52e5..19876b12 100644
--- a/internal/home/control.go
+++ b/internal/home/control.go
@@ -251,12 +251,15 @@ func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (ok bool) {
 
 	// Allow the frontend from the HTTP origin to send requests to the HTTPS
 	// server.  This can happen when the user has just set up HTTPS with
-	// redirects.
+	// redirects.  Prevent cache-related errors by setting the Vary header.
+	//
+	// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin.
 	originURL := &url.URL{
 		Scheme: "http",
 		Host:   r.Host,
 	}
 	w.Header().Set("Access-Control-Allow-Origin", originURL.String())
+	w.Header().Set("Vary", "Origin")
 
 	return true
 }