diff --git a/packages/http-cors/__tests__/index.js b/packages/http-cors/__tests__/index.js
index 8d3cfe4f2..895b4169e 100644
--- a/packages/http-cors/__tests__/index.js
+++ b/packages/http-cors/__tests__/index.js
@@ -39,8 +39,7 @@ test('Should return default headers when { origin: "*" }', async (t) => {
   deepEqual(response, {
     statusCode: 204,
     headers: {
-      'Access-Control-Allow-Origin': '*',
-      Vary: 'Origin'
+      'Access-Control-Allow-Origin': '*'
     }
   })
 })
@@ -185,8 +184,7 @@ test('Access-Control-Allow-Origin header should be "*" when origin is "*"', asyn
   deepEqual(response, {
     statusCode: 204,
     headers: {
-      'Access-Control-Allow-Origin': '*',
-      Vary: 'Origin'
+      'Access-Control-Allow-Origin': '*'
     }
   })
 })
@@ -263,8 +261,7 @@ test('It should return whitelisted origin (any)', async (t) => {
   deepEqual(response, {
     statusCode: 204,
     headers: {
-      'Access-Control-Allow-Origin': '*',
-      Vary: 'Origin'
+      'Access-Control-Allow-Origin': '*'
     }
   })
 })
diff --git a/packages/http-cors/index.js b/packages/http-cors/index.js
index 9f7358397..40f25e6ec 100644
--- a/packages/http-cors/index.js
+++ b/packages/http-cors/index.js
@@ -69,7 +69,6 @@ const httpCorsMiddleware = (opts = {}) => {
     // TODO: IDN -> puncycode not handled, add in if requested
     const regExpStr = origin.replaceAll('.', '\\.').replaceAll('*', '[^.]*')
     originDynamic.push(new RegExp(`^${regExpStr}$`))
-    console.log({ originDynamic })
   }
 
   const modifyHeaders = (headers, options, request) => {
@@ -94,10 +93,11 @@ const httpCorsMiddleware = (opts = {}) => {
       headers['Access-Control-Allow-Methods'] = options.methods
     }
 
+    let newOrigin
     if (!existingHeaders.includes('Access-Control-Allow-Origin')) {
       const eventHeaders = request.event.headers ?? {}
       const incomingOrigin = eventHeaders.Origin ?? eventHeaders.origin
-      const newOrigin = options.getOrigin(incomingOrigin, options)
+      newOrigin = options.getOrigin(incomingOrigin, options)
       if (newOrigin) {
         headers['Access-Control-Allow-Origin'] = newOrigin
       }
@@ -107,8 +107,11 @@ const httpCorsMiddleware = (opts = {}) => {
       addHeaderPart(headers, 'Vary', options.vary)
     }
 
-    // #1251
-    if (originAny || originMany) {
+    if (
+      originMany ||
+      (originAny && newOrigin !== '*') ||
+      (newOrigin === '*' && options.credentials)
+    ) {
       addHeaderPart(headers, 'Vary', 'Origin')
     }