diff --git a/server.ts b/server.ts
index fffbf9b..ddab153 100644
--- a/server.ts
+++ b/server.ts
@@ -160,6 +160,13 @@ async function startServer() {
 
   app.use(express.json());
 
+  // API responses must never be cached by the browser — otherwise a stale
+  // (or HTML fallback) response can get served from cache via a 304.
+  app.use('/api', (_req, res, next) => {
+    res.set('Cache-Control', 'no-store');
+    next();
+  });
+
   // -------------------------------------------------------------
   // AUTH API
   // -------------------------------------------------------------
@@ -871,23 +878,6 @@ async function startServer() {
     }
   );
 
-  // -------------------------------------------------------------
-  // VITE / STATIC SERVING
-  // -------------------------------------------------------------
-  if (process.env.NODE_ENV !== 'production') {
-    const vite = await createViteServer({
-      server: { middlewareMode: true },
-      appType: 'spa',
-    });
-    app.use(vite.middlewares);
-  } else {
-    const distPath = path.join(process.cwd(), 'dist');
-    app.use(express.static(distPath));
-    app.get('*', (_req, res) => {
-      res.sendFile(path.join(distPath, 'index.html'));
-    });
-  }
-
   // -------------------------------------------------------------
   // CYCLIC CHECKMK STATUS SYNC
   // Looks up each device by IP address in CheckMK's host_config collection,
@@ -1244,6 +1234,24 @@ async function startServer() {
 
   pushCaddyConfig().catch(err => console.warn('[Caddy] Could not push config on startup:', err.message));
 
+  // -------------------------------------------------------------
+  // VITE / STATIC SERVING — registered LAST so the SPA catch-all ('*')
+  // never shadows the /api routes registered above it.
+  // -------------------------------------------------------------
+  if (process.env.NODE_ENV !== 'production') {
+    const vite = await createViteServer({
+      server: { middlewareMode: true },
+      appType: 'spa',
+    });
+    app.use(vite.middlewares);
+  } else {
+    const distPath = path.join(process.cwd(), 'dist');
+    app.use(express.static(distPath));
+    app.get('*', (_req, res) => {
+      res.sendFile(path.join(distPath, 'index.html'));
+    });
+  }
+
   app.listen(PORT, '0.0.0.0', () => {
     console.log(`[Server] Core Server running at http://0.0.0.0:${PORT}`);
   });