diff --git a/docker-compose.yml b/docker-compose.yml
index d51ce2f64..26a5f9a7b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -104,7 +104,7 @@ services:
     entrypoint: /bin/sh -c "cp /etc/varnish/default.vcl.template /etc/varnish/default.vcl && sed -i 's|$${BACKEND_HOST}|'"$$BACKEND_HOST"'|g' /etc/varnish/default.vcl && sed -i 's|$${BACKEND_PORT}|'"$$BACKEND_PORT"'|g' /etc/varnish/default.vcl && sed -i 's|$${CLIENT_HOST}|'"$$CLIENT_HOST"'|g' /etc/varnish/default.vcl && /usr/local/bin/docker-varnish-entrypoint \"$$0\" \"$$@\""
     command: [ "-t", "86400" ] # time to live
     volumes:
-      - ./platform/varnish.vcl.template:/etc/varnish/default.vcl.template:ro
+      - ./platform/varnish-frontend.vcl.template:/etc/varnish/default.vcl.template:ro
   varnish-admin:
     image: varnish:7.3.0
     user: root # otherwise the varnish user does not have permissions to the mounted folder which is owner by root
@@ -119,7 +119,7 @@ services:
     entrypoint: /bin/sh -c "cp /etc/varnish/default.vcl.template /etc/varnish/default.vcl && sed -i 's|$${BACKEND_HOST}|'"$$BACKEND_HOST"'|g' /etc/varnish/default.vcl && sed -i 's|$${BACKEND_PORT}|'"$$BACKEND_PORT"'|g' /etc/varnish/default.vcl && sed -i 's|$${CLIENT_HOST}|'"$$CLIENT_HOST"'|g' /etc/varnish/default.vcl && /usr/local/bin/docker-varnish-entrypoint \"$$0\" \"$$@\""
     command: [ "-t", "86400" ] # time to live
     volumes:
-      - ./platform/varnish.vcl.template:/etc/varnish/default.vcl.template:ro
+      - ./platform/varnish-backend.vcl.template:/etc/varnish/default.vcl.template:ro
   varnish-end-user:
     image: varnish:7.3.0
     user: root # otherwise varnish user does not have permissions to the mounted folder which is owner by root
@@ -134,7 +134,7 @@ services:
     entrypoint: /bin/sh -c "cp /etc/varnish/default.vcl.template /etc/varnish/default.vcl && sed -i 's|$${BACKEND_HOST}|'"$$BACKEND_HOST"'|g' /etc/varnish/default.vcl && sed -i 's|$${BACKEND_PORT}|'"$$BACKEND_PORT"'|g' /etc/varnish/default.vcl && sed -i 's|$${CLIENT_HOST}|'"$$CLIENT_HOST"'|g' /etc/varnish/default.vcl && /usr/local/bin/docker-varnish-entrypoint \"$$0\" \"$$@\""
     command: [ "-t", "86400" ] # time to live
     volumes:
-      - ./platform/varnish.vcl.template:/etc/varnish/default.vcl.template:ro
+      - ./platform/varnish-backend.vcl.template:/etc/varnish/default.vcl.template:ro
   email-server:
     image: namshi/smtp
     environment:
diff --git a/platform/varnish-backend.vcl.template b/platform/varnish-backend.vcl.template
new file mode 100644
index 000000000..40b46a10e
--- /dev/null
+++ b/platform/varnish-backend.vcl.template
@@ -0,0 +1,64 @@
+vcl 4.0;
+
+import std;
+
+backend default {
+    .host = "${BACKEND_HOST}";
+    .port = "${BACKEND_PORT}";
+    .first_byte_timeout = 60s;
+}
+
+acl local {
+    "localhost";
+    "${CLIENT_HOST}";
+}
+
+sub vcl_recv {
+    if (req.method == "PURGE") {
+        if (!client.ip ~ local) {
+            return (synth(403, "Unknown IP address '" + client.ip + "'. Access denied."));
+        }
+        return (purge);
+    }
+
+    if (req.method == "BAN") { # supports only 2 URIs!
+        if (!client.ip ~ local) {
+            return (synth(403, "Unknown IP address '" + client.ip + "'. Access denied."));
+        }
+
+        set req.http.X-Escaped-Request-URI-1 = regsub(req.http.X-Escaped-Request-URI, ",.*$", ""); # remove header value after comma
+        set req.http.X-Escaped-Request-URI-2 = regsub(req.http.X-Escaped-Request-URI, "^.*,", ""); # remove header value before comma
+        ban("req.url ~ " + req.http.X-Escaped-Request-URI-1);
+        ban("req.url ~ " + req.http.X-Escaped-Request-URI-2);
+        return (synth(200, "Banned"));
+    }
+
+    if (req.method != "GET" &&
+      req.method != "HEAD" &&
+      req.method != "PUT" &&
+      req.method != "POST" &&
+      req.method != "TRACE" &&
+      req.method != "OPTIONS" &&
+      req.method != "DELETE" &&
+      req.method != "PATCH") {
+        /* Non-RFC2616 or CONNECT which is weird. */
+        return (pipe);
+    }
+
+    if (req.method != "GET" && req.method != "HEAD") {
+        /* We only deal with GET and HEAD by default */
+        return (pass);
+    }
+
+    return (hash);
+}
+
+sub vcl_backend_response {
+    /* purge URLs after updates */
+    if ((beresp.status == 200 || beresp.status == 201 || beresp.status == 204) && bereq.method ~ "POST|PUT|DELETE|PATCH") {
+        set beresp.http.X-LinkedDataHub = "Banned";
+        ban("req.url == " + bereq.url + " && req.http.host == " + bereq.http.host);
+    }
+
+    return (deliver);
+}
\ No newline at end of file
diff --git a/platform/varnish.vcl.template b/platform/varnish-frontend.vcl.template
similarity index 81%
rename from platform/varnish.vcl.template
rename to platform/varnish-frontend.vcl.template
index f4bcc03f0..0caa5f26b 100644
--- a/platform/varnish.vcl.template
+++ b/platform/varnish-frontend.vcl.template
@@ -13,16 +13,19 @@ acl local {
     "${CLIENT_HOST}";
 }
 
+acl remote {
+}
+
 sub vcl_recv {
     if (req.method == "PURGE") {
-        if (!client.ip ~ local) {
+        if (!client.ip ~ local && !client.ip ~ remote) {
             return (synth(403, "Unknown IP address '" + client.ip + "'. Access denied."));
         }
         return (purge);
     }
 
     if (req.method == "BAN") { # supports only 2 URIs!
-        if (!client.ip ~ local) {
+        if (!client.ip ~ local && !client.ip ~ remote) {
             return (synth(403, "Unknown IP address '" + client.ip + "'. Access denied."));
         }
 
@@ -49,7 +52,10 @@ sub vcl_recv {
         /* We only deal with GET and HEAD by default */
         return (pass);
     }
-
+    if (req.http.Client-Cert) {
+        /* Authenticated requests are not cacheable */
+        return (pass);
+    }
     if (req.http.Cookie) {
         # explicitly allow only cookies required by LDH server-side
         set req.http.Cookie = ";" + req.http.Cookie;
@@ -58,21 +64,11 @@ sub vcl_recv {
         set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
         set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
 
-        if (req.http.Cookie ~ "LinkedDataHub\.id_token=") {
-            # extract the LinkedDataHub.id_token value
-            set req.http.X-LinkedDataHub-Id-Token = regsub(req.http.Cookie, ".*LinkedDataHub\.id_token=([^; ]+).*", "\1");
-        }
-
         if (req.http.cookie ~ "^\s*$") {
             unset req.http.cookie;
         }
     }
 
-    if ((req.http.Client-Cert || req.http.X-LinkedDataHub-Id-Token) && (req.http.Accept ~ "text/html" || req.http.Accept ~ "application/xhtml+xml")) {
-        /* Authenticated (X)HTML requests are not cacheable (since they're user-specific) */
-        return (pass);
-    }
-
     return (hash);
 }
 
@@ -84,4 +80,4 @@ sub vcl_backend_response {
     }
 
     return (deliver);
-}
+}
\ No newline at end of file
diff --git a/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/layout.xsl b/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/layout.xsl
index 2df3c8cfc..0f6fd765a 100644
--- a/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/layout.xsl
+++ b/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/layout.xsl
@@ -800,7 +800,7 @@ LIMIT   100
         <xsl:param name="typeof" select="key('resources', ac:absolute-path(ldh:base-uri(.)))/rdf:type/@rdf:resource/xs:anyURI(.)" as="xs:anyURI*"/>
         <xsl:param name="classes" select="for $class-uri in $default-classes return key('resources', $class-uri, document(ac:document-uri($class-uri)))" as="element()*"/>
         <xsl:param name="doc-types" select="key('resources', ac:absolute-path(ldh:base-uri(.)))/rdf:type/@rdf:resource[ . = ('&def;Root', '&dh;Container', '&dh;Item')]" as="xs:anyURI*"/>
-        <!-- take care not to load unnecessary documents over HTTP when the response is an error response -->
+        <!-- take care not to load unnecessary documents over HTTP when $doc-types is empty -->
         <xsl:param name="block-values" select="if (exists($doc-types)) then (if (doc-available(resolve-uri('ns?query=ASK%20%7B%7D', $ldt:base))) then (ldh:query-result(map{}, resolve-uri('ns', $ldt:base), $template-query || ' VALUES $Type { ' || string-join(for $type in $doc-types return '&lt;' || $type || '&gt;', ' ') || ' }')//srx:binding[@name = 'content']/srx:uri/xs:anyURI(.)) else ()) else ()" as="xs:anyURI*"/>
         <xsl:param name="has-content" select="key('resources', key('resources', ac:absolute-path(ldh:base-uri(.)))/rdf:*[starts-with(local-name(), '_')]/@rdf:resource) or exists($block-values)" as="xs:boolean"/>
 
diff --git a/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/resource.xsl b/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/resource.xsl
index c901ed7c0..0099f5dc7 100644
--- a/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/resource.xsl
+++ b/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/resource.xsl
@@ -614,6 +614,7 @@ extension-element-prefixes="ixsl"
         <xsl:param name="typeof" select="rdf:type/@rdf:resource/xs:anyURI(.)" as="xs:anyURI*"/>
         <xsl:param name="mode" as="xs:anyURI?"/>
         <xsl:param name="style" as="xs:string?"/>
+        <!-- take care not to load unnecessary documents over HTTP when $typeof is empty -->
         <xsl:variable name="block-values" select="if (exists($typeof)) then (if (doc-available(resolve-uri('ns?query=ASK%20%7B%7D', $ldt:base))) then (ldh:query-result(map{}, resolve-uri('ns', $ldt:base), $template-query || ' VALUES $Type { ' || string-join(for $type in $typeof return '&lt;' || $type || '&gt;', ' ') || ' }')//srx:binding[@name = 'block']/srx:uri/xs:anyURI(.)) else ()) else ()" as="xs:anyURI*" use-when="system-property('xsl:product-name') = 'SAXON'"/>
 
         <xsl:choose>