diff --git a/www/www.vcl.tftpl b/www/www.vcl.tftpl
index fe6dccb..33f4011 100644
--- a/www/www.vcl.tftpl
+++ b/www/www.vcl.tftpl
@@ -369,10 +369,20 @@ sub vcl_recv {
   #   - Licensing
   #   - email-alert-frontend (for subscription management)
   #   - sign-in (digital identity) callback
-  if (req.url !~ "^/(apply-for-a-licence|email|sign-in/callback)") {
+  if (req.url !~ "^/(apply-for-a-licence|email|sign-in/callback|chat/)") {
     unset req.http.Cookie;
   }
 
+  # Strip cookies for requests to /chat/* that lack a session cookie,
+  # otherwise pass through
+  if (req.url ~ "^/chat/") {
+    if (req.http.cookie:_govuk_chat_session) {
+      return(pass)
+    } else {
+      unset req.http.Cookie;
+    }
+  }
+
   if (req.url.path ~ "^\/assets(\/.*)?\z") {
     set req.backend = F_staticAssetsS3;
     set req.http.host = "${s3_static_assets_hostname}";
@@ -490,10 +500,15 @@ sub vcl_fetch {
   }
 
   # Strip cookies from outbound requests. Corresponding rule in vcl_recv{}
-  if (req.url !~ "^/(apply-for-a-licence|email|sign-in/callback)") {
+  if (req.url !~ "^/(apply-for-a-licence|email|sign-in/callback|chat/)") {
     unset beresp.http.Set-Cookie;
   }
 
+  # We don't want to cache any /chat/* responses that set a cookie
+  if (req.url ~ "^/chat/" && resp.http.Set-Cookie) {
+    return (pass);
+  }
+
   # Override default.vcl behaviour of return(pass).
   if (beresp.http.Set-Cookie) {
     return (deliver);