diff --git a/CHANGELOG.md b/CHANGELOG.md
index 093f0cc..c61ce12 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,10 @@ Version numbers follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html
 
 ## [Unreleased]
 
+### Fixed
+
+- **Stale UI after updating the server** — Flask served `/static/` files with no `Cache-Control` header, so browsers cached JS/CSS heuristically (often for days). After a server update — including the new in-app self-update, whose post-install reload hit the cache — the backend was new but the frontend stayed old, and fixes appeared "not to work" until a hard refresh. `SEND_FILE_MAX_AGE_DEFAULT = 0` now makes every static file revalidate via ETag: unchanged files answer with a cheap 304, changed files are re-fetched immediately on the next normal page load.
+
 ---
 
 ## [1.7.4] — 2026-06-10
diff --git a/gdpr_scanner.py b/gdpr_scanner.py
index 686cb9f..948d7fc 100644
--- a/gdpr_scanner.py
+++ b/gdpr_scanner.py
@@ -317,6 +317,11 @@ app = Flask(__name__,
             template_folder=_os.path.join(_BASE_DIR, "templates"),
             static_folder=_os.path.join(_BASE_DIR, "static"))
 
+# Static files must revalidate on every load (cheap 304s via ETag). Without
+# this there is no Cache-Control header and browsers cache JS/CSS heuristically
+# for days — after a self-update the backend is new but the UI stays stale.
+app.config["SEND_FILE_MAX_AGE_DEFAULT"] = 0
+
 # Session secret — derived from machine_id so it survives restarts without a separate file.
 # machine_id is also the Fernet key (base64-encoded 32 bytes); we use its raw bytes as the secret.
 try: