diff --git a/CHANGELOG.md b/CHANGELOG.md
index ee7568d182..43aa589a5d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@
 * [ct_hammer] support HTTPS and Bearer token for Authentication.
 * [preloader] support Bearer token Authentication for non temporal logs.
 * [preloader] support end indexes
+* [CTFE] Short cache max-age when get-entries returns fewer entries than requested by @robstradling in https://github.com/google/certificate-transparency-go/pull/1707
 
 ### CTFE Storage Saving: Extra Data Issuance Chain Deduplication
 
diff --git a/trillian/ctfe/handlers.go b/trillian/ctfe/handlers.go
index ef784cc8e3..fde2fd8c61 100644
--- a/trillian/ctfe/handlers.go
+++ b/trillian/ctfe/handlers.go
@@ -56,6 +56,8 @@ const (
 	cacheControlHeader = "Cache-Control"
 	// Value for Cache-Control header when response contains immutable data, i.e. entries or proofs. Allows the response to be cached for 1 day.
 	cacheControlImmutable = "public, max-age=86400"
+	// Value for Cache-Control header when response contains immutable but partial data, i.e. fewer entries than requested. Allows the response to be cached for 1 minute.
+	cacheControlPartial = "public, max-age=60"
 	// HTTP content type header
 	contentTypeHeader string = "Content-Type"
 	// MIME content type for JSON
@@ -802,7 +804,11 @@ func getEntries(ctx context.Context, li *logInfo, w http.ResponseWriter, r *http
 		return http.StatusInternalServerError, fmt.Errorf("failed to process leaves returned from backend: %s", err)
 	}
 
-	w.Header().Set(cacheControlHeader, cacheControlImmutable)
+	if len(rsp.Leaves) < int(count) {
+		w.Header().Set(cacheControlHeader, cacheControlPartial)
+	} else {
+		w.Header().Set(cacheControlHeader, cacheControlImmutable)
+	}
 	w.Header().Set(contentTypeHeader, contentTypeJSON)
 	jsonData, err := json.Marshal(&jsonRsp)
 	if err != nil {