diff --git a/app.py b/app.py
index 32fd272..b0ae4f8 100644
--- a/app.py
+++ b/app.py
@@ -1417,30 +1417,38 @@ def require_system_password():
 
 @app.after_request
 def apply_headers(response):
-
     if request.path == "/expenses_data":
         response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
         response.headers["Pragma"] = "no-cache"
         response.headers["Expires"] = "0"
         return response
 
+    # --- statyczne pliki ---
     if request.path.startswith(("/static/", "/uploads/")):
         response.headers["Vary"] = "Accept-Encoding"
         return response
 
+    # --- redirecty ---
     if response.status_code in (301, 302, 303, 307, 308):
         response.headers["Cache-Control"] = "no-store"
         response.headers.pop("Vary", None)
         return response
 
+    # --- błędy 4xx ---
     if 400 <= response.status_code < 500:
         response.headers["Cache-Control"] = "no-store"
-        response.headers["Content-Type"] = "text/html; charset=utf-8"
+        ct = (response.headers.get("Content-Type") or "").lower()
+        if "application/json" not in ct:
+            response.headers["Content-Type"] = "text/html; charset=utf-8"
+
         response.headers.pop("Vary", None)
 
+    # --- błędy 5xx ---
     elif 500 <= response.status_code < 600:
         response.headers["Cache-Control"] = "no-store"
-        response.headers["Content-Type"] = "text/html; charset=utf-8"
+        ct = (response.headers.get("Content-Type") or "").lower()
+        if "application/json" not in ct:
+            response.headers["Content-Type"] = "text/html; charset=utf-8"
         response.headers["Retry-After"] = "120"
         response.headers.pop("Vary", None)