diff --git a/src/JobsMedical.Web/Program.cs b/src/JobsMedical.Web/Program.cs
index 76df6da..df2e616 100644
--- a/src/JobsMedical.Web/Program.cs
+++ b/src/JobsMedical.Web/Program.cs
@@ -147,6 +147,28 @@ app.UseMiddleware<VisitorCookieMiddleware>();
 app.UseAuthentication();
 app.UseAuthorization();
 
+// HTML pages list live, fast-changing data (listings get archived between crawls). The CDN must NOT
+// serve a stale homepage/detail copy — that's how an archived (410) listing can still appear as a
+// card. Force revalidation on HTML; never let a private (logged-in) page be cached by the CDN, and
+// Vary on the auth cookie so an anonymous copy is never handed to a logged-in visitor (or vice-versa).
+// Static assets (css/js/fonts/images) are untouched — they keep MapStaticAssets' long cache headers.
+app.Use(async (ctx, next) =>
+{
+    ctx.Response.OnStarting(() =>
+    {
+        if (ctx.Response.ContentType is string ct && ct.StartsWith("text/html")
+            && !ctx.Response.Headers.ContainsKey("Cache-Control"))
+        {
+            ctx.Response.Headers.CacheControl = ctx.User.Identity?.IsAuthenticated == true
+                ? "private, no-store"
+                : "no-cache, must-revalidate";
+            ctx.Response.Headers.Vary = "Cookie";
+        }
+        return Task.CompletedTask;
+    });
+    await next();
+});
+
 app.MapStaticAssets();
 app.MapRazorPages()
    .WithStaticAssets();