diff --git a/app/controllers/jwks_controller.rb b/app/controllers/jwks_controller.rb
index d3a8d3dafea35de5e3c783769003df0e8fc20c18..2e030cf46c4d40aabb58b277d65cfebf3d311cd4 100644
--- a/app/controllers/jwks_controller.rb
+++ b/app/controllers/jwks_controller.rb
@@ -2,6 +2,10 @@
 
 class JwksController < Doorkeeper::OpenidConnect::DiscoveryController
   def index
+    if ::Feature.enabled?(:cache_control_headers_for_openid_jwks)
+      expires_in 24.hours, public: true, must_revalidate: true, 'no-transform': true
+    end
+
     render json: { keys: payload }
   end
 
diff --git a/config/feature_flags/development/cache_control_headers_for_openid_jwks.yml b/config/feature_flags/development/cache_control_headers_for_openid_jwks.yml
new file mode 100644
index 0000000000000000000000000000000000000000..79f7a27eeacbf1d91dad93eaf7522a3eba482d4d
--- /dev/null
+++ b/config/feature_flags/development/cache_control_headers_for_openid_jwks.yml
@@ -0,0 +1,8 @@
+---
+name: cache_control_headers_for_openid_jwks
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138405
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/433360
+milestone: '16.7'
+type: development
+group: group::pipeline security
+default_enabled: false
\ No newline at end of file
diff --git a/spec/requests/jwks_controller_spec.rb b/spec/requests/jwks_controller_spec.rb
index f756c1758e4f37714a851c90e5b8b9477ef405c5..3dc3ed68311e3217b39c749e33c412a10ae6c186 100644
--- a/spec/requests/jwks_controller_spec.rb
+++ b/spec/requests/jwks_controller_spec.rb
@@ -55,5 +55,26 @@
         end
       end
     end
+
+    it 'has cache control header' do
+      get jwks_url
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(response.headers['Cache-Control']).to include('max-age=86400', 'public', 'must-revalidate', 'no-transform')
+    end
+
+    context 'when cache_control_headers_for_openid_jwks feature flag is disabled' do
+      before do
+        stub_feature_flags(cache_control_headers_for_openid_jwks: false)
+      end
+
+      it 'does not have cache control header' do
+        get jwks_url
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(response.headers['Cache-Control']).not_to include('max-age=86400', 'public',
+          'no-transform')
+      end
+    end
   end
 end