diff --git a/src/server.js b/src/server.js
index 57a16c7f..f048891e 100644
--- a/src/server.js
+++ b/src/server.js
@@ -114,7 +114,13 @@ app.use((req, res, next) => {
   else if (path === '/manifest.json') {
     res.setHeader('Cache-Control', 'public, max-age=86400'); // 1 day
   }
-  // Everything else: Short cache
+  // API responses: NEVER cache (security middleware sets this too, but catch-all below would override)
+  else if (path.startsWith('/api/')) {
+    res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
+    res.setHeader('Pragma', 'no-cache');
+    res.setHeader('Expires', '0');
+  }
+  // Everything else (static assets without extensions): Short cache
   else {
     res.setHeader('Cache-Control', 'public, max-age=3600'); // 1 hour
   }