diff --git a/bin/browserid b/bin/browserid
index c2eb015395db78f7412581db93bb157678167e16..70fdce33c78a2625fa69887fd1ad0828cd27f225 100755
--- a/bin/browserid
+++ b/bin/browserid
@@ -142,9 +142,6 @@ wsapi.setup({
 // #9 - handle views for dynamicish content
 views.setup(app);
 
-// #10 - if nothing else has caught this request, serve static files
-app.use(express.static(path.join(__dirname, "..", "resources", "static")));
-
 function doShutdown(readyForShutdownCB) {
   require('../lib/bcrypt.js').shutdown();
   db.close(readyForShutdownCB)
@@ -155,13 +152,6 @@ function doShutdown(readyForShutdownCB) {
 // the update logic
 shutdown.installUpdateHandler(app, doShutdown);
 
-// #11.5 - custom 404
-app.use(function(req, res,next) {
-  res.statusCode = 404;
-  res.write("Cannot find this resource");
-  res.end();
-});
-
 // #12 if the BROWSERID_FAKE_VERIFICATION env var is defined, we'll include
 // fake_verification.js.  This is used during testing only and should
 // never be included in a production deployment
@@ -169,6 +159,22 @@ if (process.env['BROWSERID_FAKE_VERIFICATION']) {
   require('../lib/browserid/fake_verification.js').addVerificationWSAPI(app);
 }
 
+// if nothing else has caught this request, serve static files, but ensure
+// that proper vary headers are installed to prevent unwanted caching
+app.use(function(req, res, next) {
+  res.setHeader('Vary', 'Accept-Encoding,Accept-Language');
+  next();
+});
+
+app.use(express.static(path.join(__dirname, "..", "resources", "static")));
+
+// custom 404 page
+app.use(function(req, res,next) {
+  res.statusCode = 404;
+  res.write("Cannot find this resource");
+  res.end();
+});
+
 // open the databse
 db.open(config.get('database'), function (error) {
   if (error) {
diff --git a/lib/browserid/views.js b/lib/browserid/views.js
index 7fba49f667e66b7c519cda7e9bf6bcbe1d3fe8d0..a1abaffaeaf9db9b0084573db0a0fdaa7ba0d529 100644
--- a/lib/browserid/views.js
+++ b/lib/browserid/views.js
@@ -25,6 +25,7 @@ const VIEW_PATH = path.join(__dirname, "..", "..", "resources", "views");
 function renderCachableView(req, res, template, options) {
   fs.stat(path.join(VIEW_PATH, template), function (err, stat) {
     res.setHeader('Date', new Date().toUTCString());
+    res.setHeader('Vary', 'Accept-Encoding,Accept-Language');
     if (config.get('env') === 'production') {
       // res.setHeader('Cache-Control', 'public, max-age=' + (maxAge / 1000));
       res.setHeader('Last-Modified', stat.mtime.toUTCString());
@@ -32,7 +33,7 @@ function renderCachableView(req, res, template, options) {
     } else {
       res.setHeader('Cache-Control', 'no-store');
     }
-      res.setHeader('Content-Type', 'text/html; charset=utf8');
+    res.setHeader('Content-Type', 'text/html; charset=utf8');
     if (connect.utils.conditionalGET(req)) {
       if (!connect.utils.modified(req, res)) {
         return connect.utils.notModified(res);