diff --git a/caddy/Caddyfile.local b/caddy/Caddyfile.local
index b2013e35..df3fe4b7 100644
--- a/caddy/Caddyfile.local
+++ b/caddy/Caddyfile.local
@@ -16,7 +16,8 @@
 	header {
 		Access-Control-Allow-Origin "http://localhost:5173" # allows the Vue app (running on localhost:5173) to make requests.
 		Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" # Specifies which methods are allowed.
-		Access-Control-Allow-Headers "X-API-Key, X-API-Username, X-API-Signature, Content-Type, User-Agent" # allows the custom headers needed by the API.
+		Access-Control-Allow-Headers "X-API-Key, X-API-Username, X-API-Signature, Content-Type, User-Agent, If-None-Match" # allows the custom headers needed by the API.
+		Access-Control-Expose-Headers "ETag"
 	}
 
 	# This handles the browser's "preflight" OPTIONS request.
@@ -29,7 +30,7 @@
 		# Reflect the Origin back so it's always allowed
 		header Access-Control-Allow-Origin "{http.request.header.Origin}"
 		header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
-		header Access-Control-Allow-Headers "X-API-Key, X-API-Username, X-API-Signature, Content-Type, User-Agent"
+		header Access-Control-Allow-Headers "X-API-Key, X-API-Username, X-API-Signature, Content-Type, User-Agent, If-None-Match"
 		header Access-Control-Max-Age "86400"
 		respond 204
 	}
diff --git a/caddy/Caddyfile.prod b/caddy/Caddyfile.prod
index 07a90b9e..70c09835 100644
--- a/caddy/Caddyfile.prod
+++ b/caddy/Caddyfile.prod
@@ -34,7 +34,8 @@ oullin.io {
 		header {
 			Access-Control-Allow-Origin "https://oullin.io"
 			Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
-			Access-Control-Allow-Headers "X-API-Key, X-API-Username, X-API-Signature, Content-Type, User-Agent"
+			Access-Control-Allow-Headers "X-API-Key, X-API-Username, X-API-Signature, Content-Type, User-Agent, If-None-Match"
+			Access-Control-Expose-Headers "ETag"
 		}
 
 		@preflight {
@@ -46,7 +47,7 @@ oullin.io {
 			# Reflect the Origin back so it's always allowed
 			header Access-Control-Allow-Origin "{http.request.header.Origin}"
 			header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
-			header Access-Control-Allow-Headers "X-API-Key, X-API-Username, X-API-Signature, Content-Type, User-Agent"
+			header Access-Control-Allow-Headers "X-API-Key, X-API-Username, X-API-Signature, Content-Type, User-Agent, If-None-Match"
 			header Access-Control-Max-Age "86400"
 			respond 204
 		}