diff --git a/app.py b/app.py
index 680467e..32fd272 100644
--- a/app.py
+++ b/app.py
@@ -1417,6 +1417,13 @@ def require_system_password():
 
 @app.after_request
 def apply_headers(response):
+
+    if request.path == "/expenses_data":
+        response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
+        response.headers["Pragma"] = "no-cache"
+        response.headers["Expires"] = "0"
+        return response
+
     if request.path.startswith(("/static/", "/uploads/")):
         response.headers["Vary"] = "Accept-Encoding"
         return response
diff --git a/deploy/varnish/default.vcl.template b/deploy/varnish/default.vcl.template
index e1382c9..1e382c1 100644
--- a/deploy/varnish/default.vcl.template
+++ b/deploy/varnish/default.vcl.template
@@ -71,6 +71,10 @@ sub vcl_recv {
     return (hash);
   }
 
+  if (!req.http.X-Forwarded-Proto) {
+    set req.http.X-Forwarded-Proto = "https";
+  }
+
   return (hash);
 }
 
@@ -104,6 +108,14 @@ sub vcl_backend_response {
     set beresp.uncacheable = true;
     set beresp.ttl = 0s;
     return (deliver);
+
+  # NIE cache'uj redirectów do loginu (HTML) z backendu
+  if (beresp.status >= 300 && beresp.status < 400) {
+    set beresp.uncacheable = true;
+    set beresp.ttl = 0s;
+    return (deliver);
+  }
+
   }
 
   # ---- STATYCZNE: zdejmij Set-Cookie i Vary: Cookie, zapewnij TTL ----