diff --git a/controller/permissions/PermissionController.js b/controller/permissions/PermissionController.js
index 51a0424..02d50c7 100644
--- a/controller/permissions/PermissionController.js
+++ b/controller/permissions/PermissionController.js
@@ -36,6 +36,11 @@ class PermissionController {
   }
 
   static async getUserPermissions(req, res) {
+    // Prevent caching of permission responses
+    res.set('Cache-Control', 'no-store, no-cache, must-revalidate, private');
+    res.set('Pragma', 'no-cache');
+    res.set('Vary', 'Authorization');
+
     // Access control: only self or admin/super_admin can view
     const requestedUserId = Number(req.params.id);
     const requesterUserId = Number(req.user.userId ?? req.user.id ?? req.user.sub);