diff --git a/tests/fixtures.py b/tests/fixtures.py
index 4ca7b10f30..2268ef4de1 100644
--- a/tests/fixtures.py
+++ b/tests/fixtures.py
@@ -132,8 +132,6 @@ async def post(
             if csrftoken_from is True:
                 csrftoken_from = path
             token_response = await self._request(csrftoken_from)
-            # Check this had a Vary: Cookie header
-            assert "Cookie" == token_response.headers["vary"]
             csrftoken = token_response.cookies["ds_csrftoken"]
             cookies["ds_csrftoken"] = csrftoken
             post_data["csrftoken"] = csrftoken
diff --git a/tests/test_canned_write.py b/tests/test_canned_write.py
index 5b5756b0d1..aacc586fad 100644
--- a/tests/test_canned_write.py
+++ b/tests/test_canned_write.py
@@ -100,6 +100,12 @@ def test_custom_params(canned_write_client):
     assert '<input type="text" id="qp3" name="extra" value="foo">' in response.text
 
 
+def test_vary_header(canned_write_client):
+    # These forms embed a csrftoken so they should be served with Vary: Cookie
+    assert "vary" not in canned_write_client.get("/data").headers
+    assert "Cookie" == canned_write_client.get("/data/update_name").headers["vary"]
+
+
 def test_canned_query_permissions_on_database_page(canned_write_client):
     # Without auth only shows three queries
     query_names = [