diff --git a/middleware.ts b/middleware.ts
index 835f36e..c668db9 100644
--- a/middleware.ts
+++ b/middleware.ts
@@ -34,9 +34,12 @@ export async function middleware(request: NextRequest) {
     // Carry any cookies Supabase rotated onto the working `response` over to a
     // deny/redirect response, so a refreshed session/refresh token is always
     // persisted — otherwise a fresh NextResponse would drop them and a
-    // concurrent request could spuriously 401.
+    // concurrent request could spuriously 401. Also stamp `no-store` so these
+    // admin deny/redirect responses (which short-circuit before the route's
+    // own jsonNoStore runs) are never cached by intermediaries or the browser.
     const withCookies = (res: NextResponse): NextResponse => {
       response.cookies.getAll().forEach((cookie) => res.cookies.set(cookie));
+      res.headers.set('Cache-Control', 'no-store');
       return res;
     };
     if (!user) {