diff --git a/cors.go b/cors.go
index 4fe1441..a47b7df 100644
--- a/cors.go
+++ b/cors.go
@@ -287,6 +287,9 @@ func (c *Cors) handlePreflight(w http.ResponseWriter, r *http.Request) {
 	headers.Add("Vary", "Origin")
 	headers.Add("Vary", "Access-Control-Request-Method")
 	headers.Add("Vary", "Access-Control-Request-Headers")
+	if c.allowPrivateNetwork {
+		headers.Add("Vary", "Access-Control-Request-Private-Network")
+	}
 
 	if origin == "" {
 		c.logf("  Preflight aborted: empty origin")
diff --git a/cors_test.go b/cors_test.go
index 4d7b5f7..da16a29 100644
--- a/cors_test.go
+++ b/cors_test.go
@@ -401,7 +401,7 @@ func TestSpec(t *testing.T) {
 				"Access-Control-Request-Private-Network": "true",
 			},
 			map[string]string{
-				"Vary":                                 "Origin, Access-Control-Request-Method, Access-Control-Request-Headers",
+				"Vary":                                 "Origin, Access-Control-Request-Method, Access-Control-Request-Headers, Access-Control-Request-Private-Network",
 				"Access-Control-Allow-Origin":          "http://foobar.com",
 				"Access-Control-Allow-Methods":         "GET",
 				"Access-Control-Allow-Private-Network": "true",