diff --git a/app.py b/app.py
index c7c8055..48f3a05 100644
--- a/app.py
+++ b/app.py
@@ -1415,13 +1415,14 @@ def require_system_password():
 
 @app.after_request
 def apply_headers(response):
+    # Specjalny endpoint wykresów/API – zawsze no-cache
     if request.path == "/expenses_data":
-        response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
+        response.headers["Cache-Control"] = "no-store, no-cache, must-revalidate"
         response.headers["Pragma"] = "no-cache"
         response.headers["Expires"] = "0"
         return response
 
-    # --- statyczne pliki ---
+    # --- statyczne pliki (nagłówki z .env) ---
     if request.path.startswith(("/static/", "/uploads/")):
         response.headers["Vary"] = "Accept-Encoding"
         return response
@@ -1438,7 +1439,6 @@ def apply_headers(response):
         ct = (response.headers.get("Content-Type") or "").lower()
         if "application/json" not in ct:
             response.headers["Content-Type"] = "text/html; charset=utf-8"
-
         response.headers.pop("Vary", None)
 
     # --- błędy 5xx ---
@@ -1450,6 +1450,10 @@ def apply_headers(response):
         response.headers["Retry-After"] = "120"
         response.headers.pop("Vary", None)
 
+    # --- strony dynamiczne (domyślnie) ---
+    # Wszystko, co nie jest /static/ ani /uploads/ ma być no-store/no-cache
+    response.headers.setdefault("Cache-Control", "no-cache, no-store")
+
     return response