diff --git a/app/controllers/application_controller/sets_headers.rb b/app/controllers/application_controller/sets_headers.rb
index 97391904b..93b09eff2 100644
--- a/app/controllers/application_controller/sets_headers.rb
+++ b/app/controllers/application_controller/sets_headers.rb
@@ -3,7 +3,7 @@ module ApplicationController::SetsHeaders
 
   included do
     before_action :cors_preflight_check
-    after_action :set_access_control_headers
+    after_action :set_access_control_headers, :set_cache_control_headers
   end
 
   private
@@ -22,6 +22,15 @@ module ApplicationController::SetsHeaders
     headers['Access-Control-Allow-Headers']     = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language'
   end
 
+  def set_cache_control_headers
+
+    # by default http cache is disabled
+    # expires_now function only sets no-cache so we handle the headers by our own.
+    headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate'
+    headers['Pragma']        = 'no-cache'
+    headers['Expires']       = '-1'
+  end
+
   # If this is a preflight OPTIONS request, then short-circuit the
   # request, return only the necessary headers and return an empty
   # text/plain.
diff --git a/spec/requests/api_auth_spec.rb b/spec/requests/api_auth_spec.rb
index 06e8c748c..23f3e7a46 100644
--- a/spec/requests/api_auth_spec.rb
+++ b/spec/requests/api_auth_spec.rb
@@ -39,6 +39,9 @@ RSpec.describe 'Api Auth', type: :request do
       get '/api/v1/sessions', params: {}, as: :json
       expect(response).to have_http_status(:ok)
       expect(response.header['Access-Control-Allow-Origin']).to eq('*')
+      expect(response.header['Cache-Control']).to match(/no-cache, no-store/)
+      expect(response.header['Pragma']).to eq('no-cache')
+      expect(response.header['Expires']).to eq('-1')
       expect(json_response).to be_a_kind_of(Hash)
       expect(json_response).to be_truthy
     end
@@ -57,6 +60,9 @@ RSpec.describe 'Api Auth', type: :request do
       get '/api/v1/tickets', params: {}, as: :json
       expect(response).to have_http_status(:ok)
       expect(response.header['Access-Control-Allow-Origin']).to eq('*')
+      expect(response.header['Cache-Control']).to match(/no-cache, no-store/)
+      expect(response.header['Pragma']).to eq('no-cache')
+      expect(response.header['Expires']).to eq('-1')
       expect(json_response).to be_a_kind_of(Array)
       expect(json_response).to be_truthy
     end
@@ -75,6 +81,9 @@ RSpec.describe 'Api Auth', type: :request do
       get '/api/v1/tickets', params: {}, as: :json
       expect(response).to have_http_status(:ok)
       expect(response.header['Access-Control-Allow-Origin']).to eq('*')
+      expect(response.header['Cache-Control']).to match(/no-cache, no-store/)
+      expect(response.header['Pragma']).to eq('no-cache')
+      expect(response.header['Expires']).to eq('-1')
       expect(json_response).to be_a_kind_of(Array)
       expect(json_response).to be_truthy
     end
@@ -104,6 +113,9 @@ RSpec.describe 'Api Auth', type: :request do
       get '/api/v1/sessions', params: {}, as: :json
       expect(response).to have_http_status(:ok)
       expect(response.header['Access-Control-Allow-Origin']).to eq('*')
+      expect(response.header['Cache-Control']).to match(/no-cache, no-store/)
+      expect(response.header['Pragma']).to eq('no-cache')
+      expect(response.header['Expires']).to eq('-1')
 
       expect(json_response).to be_a_kind_of(Hash)
       expect(json_response).to be_truthy
@@ -251,6 +263,9 @@ RSpec.describe 'Api Auth', type: :request do
       get '/api/v1/tickets', params: {}, as: :json
       expect(response).to have_http_status(:ok)
       expect(response.header['Access-Control-Allow-Origin']).to eq('*')
+      expect(response.header['Cache-Control']).to match(/no-cache, no-store/)
+      expect(response.header['Pragma']).to eq('no-cache')
+      expect(response.header['Expires']).to eq('-1')
       expect(json_response).to be_a_kind_of(Array)
       expect(json_response).to be_truthy
 
@@ -286,6 +301,9 @@ RSpec.describe 'Api Auth', type: :request do
       Setting.set('api_token_access', true)
       get '/api/v1/tickets', params: {}, as: :json
       expect(response.header['Access-Control-Allow-Origin']).to eq('*')
+      expect(response.header['Cache-Control']).to match(/no-cache, no-store/)
+      expect(response.header['Pragma']).to eq('no-cache')
+      expect(response.header['Expires']).to eq('-1')
       expect(response).to have_http_status(:ok)
       expect(json_response).to be_a_kind_of(Array)
       expect(json_response).to be_truthy
@@ -370,6 +388,9 @@ RSpec.describe 'Api Auth', type: :request do
       get '/api/v1/tickets', params: {}, as: :json
       expect(response).to have_http_status(:ok)
       expect(response.header['Access-Control-Allow-Origin']).to eq('*')
+      expect(response.header['Cache-Control']).to match(/no-cache, no-store/)
+      expect(response.header['Pragma']).to eq('no-cache')
+      expect(response.header['Expires']).to eq('-1')
       expect(json_response).to be_a_kind_of(Array)
       expect(json_response).to be_truthy