diff --git a/app.py b/app.py
index f5c7b3b..8001723 100644
--- a/app.py
+++ b/app.py
@@ -1244,6 +1244,30 @@ def require_system_password():
         return redirect(url_for("system_auth", next=fixed_url))
 
 
+@app.after_request
+def apply_headers(response):
+    if request.path.startswith(("/static/", "/uploads/")):
+        response.headers["Vary"] = "Accept-Encoding"
+        return response
+
+    if response.status_code in (301, 302, 303, 307, 308):
+        response.headers.pop("Vary", None)
+        return response
+
+    if 400 <= response.status_code < 500:
+        response.headers["Cache-Control"] = "no-store"
+        response.headers["Content-Type"] = "text/html; charset=utf-8"
+        response.headers.pop("Vary", None)
+
+    elif 500 <= response.status_code < 600:
+        response.headers["Cache-Control"] = "no-store"
+        response.headers["Content-Type"] = "text/html; charset=utf-8"
+        response.headers["Retry-After"] = "120"
+        response.headers.pop("Vary", None)
+
+    return response
+
+
 @app.before_request
 def start_timer():
     g.start_time = time.time()
@@ -2140,9 +2164,6 @@ def upload_receipt(list_id):
 def uploaded_file(filename):
     response = send_from_directory(app.config["UPLOAD_FOLDER"], filename)
     response.headers["Cache-Control"] = app.config["UPLOADS_CACHE_CONTROL"]
-    response.headers.pop("Pragma", None)
-    response.headers.pop("Content-Disposition", None)
-    response.headers.pop("Vary", None)
     mime, _ = mimetypes.guess_type(filename)
     if mime:
         response.headers["Content-Type"] = mime