diff --git a/content/docs/defenses/isolation-policies/framing-isolation.md b/content/docs/defenses/isolation-policies/framing-isolation.md
index b5a7e44fd..1e5d72f4b 100644
--- a/content/docs/defenses/isolation-policies/framing-isolation.md
+++ b/content/docs/defenses/isolation-policies/framing-isolation.md
@@ -51,6 +51,8 @@ def allow_request(req):
   return False
 ```
 
+IMPORTANT: To ensure the policy works well under caching, you must additionally include `Sec-Fetch-Dest`, `Sec-Fetch-Mode`, and `Sec-Fetch-Site` in the `Vary` response header.
+
 ## Considerations
 Framing Isolation Policy cannot be applied if an endpoint allows framing requests from specific origins via  `X-Frame-Options` and/or Content Security Policy's
 `frame-ancestors` directive.
diff --git a/content/docs/defenses/isolation-policies/navigation-isolation.md b/content/docs/defenses/isolation-policies/navigation-isolation.md
index 8d652550b..f953f178e 100644
--- a/content/docs/defenses/isolation-policies/navigation-isolation.md
+++ b/content/docs/defenses/isolation-policies/navigation-isolation.md
@@ -36,5 +36,8 @@ def allow_request(req):
   # Allow all other requests
   return True
 ```
+
+IMPORTANT: To ensure the policy works well under caching, you must additionally include `Sec-Fetch-Mode` and `Sec-Fetch-Site` in the `Vary` response header.
+
 ## References
 [^secmetadata]: Fetch Metadata Request Headers playground, [link](https://secmetadata.appspot.com/)
diff --git a/content/docs/defenses/isolation-policies/resource-isolation.md b/content/docs/defenses/isolation-policies/resource-isolation.md
index 45aa8dbae..02812843b 100644
--- a/content/docs/defenses/isolation-policies/resource-isolation.md
+++ b/content/docs/defenses/isolation-policies/resource-isolation.md
@@ -39,6 +39,8 @@ def allow_request(req):
   return False
 ```
 
+IMPORTANT: To ensure the policy works well under caching, you must additionally include `Sec-Fetch-Dest`, `Sec-Fetch-Mode`, and `Sec-Fetch-Site` in the `Vary` response header.
+
 ## Considerations
 It should be safe to set a `Cross-Origin-Resource-Policy: same-site` response header on all requests that have not explicitly been exempted from Resource Isolation Policy. See [CORP]({{< ref "../opt-in/corp.md" >}}).
 
diff --git a/content/docs/defenses/isolation-policies/strict-isolation.md b/content/docs/defenses/isolation-policies/strict-isolation.md
index 4dff04352..a8f593b9d 100644
--- a/content/docs/defenses/isolation-policies/strict-isolation.md
+++ b/content/docs/defenses/isolation-policies/strict-isolation.md
@@ -36,6 +36,8 @@ def allow_request(req):
   return True
 ```
 
+IMPORTANT: To ensure the policy works well under caching, you must additionally include `Sec-Fetch-Site` in the `Vary` response header.
+
 ## Implementation with SameSite cookies
 If a server sends a cookie with the [`SameSite=strict`]({{< ref "../opt-in/same-site-cookies/#samesite-cookie-modes" >}}) flag, any returned request that doesn't contain that cookie can be rejected, as showcased in this snippet: