diff --git a/lib/MetaCPAN/Web/Controller/Account.pm b/lib/MetaCPAN/Web/Controller/Account.pm
index bd0510a1cc..e729d2d724 100644
--- a/lib/MetaCPAN/Web/Controller/Account.pm
+++ b/lib/MetaCPAN/Web/Controller/Account.pm
@@ -9,9 +9,7 @@ BEGIN { extends 'MetaCPAN::Web::Controller' }
 sub auto : Private {
     my ( $self, $c ) = @_;
 
-    # Keep everything here as specific to the user
-    # this is for proxies
-    $c->res->header( Vary => 'Cookie' );
+    $c->cdn_never_cache(1);
 
     if ( my $token = $c->token ) {
         $c->authenticate( { token => $token } );
diff --git a/lib/MetaCPAN/Web/Controller/Login.pm b/lib/MetaCPAN/Web/Controller/Login.pm
index 075e6ecb01..6d32570071 100644
--- a/lib/MetaCPAN/Web/Controller/Login.pm
+++ b/lib/MetaCPAN/Web/Controller/Login.pm
@@ -7,6 +7,10 @@ BEGIN { extends 'MetaCPAN::Web::Controller' }
 
 sub index : Path : Args(0) {
     my ( $self, $c ) = @_;
+
+    # Never cache at CDN
+    $c->cdn_never_cache(1);
+
     if ( my $code = $c->req->parameters->{code} ) {
         my $data = $c->model('API')->request(
             '/oauth2/access_token',
@@ -29,6 +33,10 @@ sub index : Path : Args(0) {
 
 sub openid : Local : Args(0) {
     my ( $self, $c ) = @_;
+
+    # Never cache at CDN
+    $c->cdn_never_cache(1);
+
     $c->stash( { template => 'account/openid-login.html' } );
 }
 
diff --git a/t/controller/account.t b/t/controller/account.t
index e7e50d43cc..dfc62a0987 100644
--- a/t/controller/account.t
+++ b/t/controller/account.t
@@ -36,8 +36,9 @@ test_psgi app, sub {
             'GET /account/profile without token'
         );
         is( $res->code, 403, '... and the user cannot get in' );
-        is( $res->header('Vary'),
-            'Cookie', '... and the Vary header for proxies is there' );
+        is( $res->header('Cache-Control'),
+            'private',
+            '... and the private Cache-Control header for proxies is there' );
         is( $authenticate_args, undef,
             '... and we did not try to authenticate' );