Dear list, I have enabled gzip with ... gzip on; gzip_http_version 1.0; gzip_vary on; ... to satisfy incoming HTTP 1.0 requests. In a very similiar setup which got OWASP-evaluated, I read this - marked as a defect: "The web server sent a Vary header, which indicates that server-driven negotiation was done to determine which content should be delivered. This may indicateby chili_confits - Nginx Mailing List - English