diff --git a/modules/kubernetes/ingress_factory/main.tf b/modules/kubernetes/ingress_factory/main.tf
index bbb7f521..9a86a429 100644
--- a/modules/kubernetes/ingress_factory/main.tf
+++ b/modules/kubernetes/ingress_factory/main.tf
@@ -110,6 +110,7 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
     namespace = var.namespace
     annotations = merge({
       "traefik.ingress.kubernetes.io/router.middlewares" = join(",", compact(concat([
+        "traefik-retry@kubernetescrd",
         var.skip_default_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
         var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
         var.exclude_crowdsec ? null : "traefik-crowdsec@kubernetescrd",
diff --git a/stacks/platform/modules/traefik/middleware.tf b/stacks/platform/modules/traefik/middleware.tf
index 1ec09881..6d126db1 100644
--- a/stacks/platform/modules/traefik/middleware.tf
+++ b/stacks/platform/modules/traefik/middleware.tf
@@ -341,3 +341,23 @@ resource "kubernetes_manifest" "middleware_anti_ai_trap_links" {
 
   depends_on = [helm_release.traefik]
 }
+
+# Retry middleware for transient backend failures (502/503 during restarts)
+resource "kubernetes_manifest" "middleware_retry" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "retry"
+      namespace = kubernetes_namespace.traefik.metadata[0].name
+    }
+    spec = {
+      retry = {
+        attempts        = 2
+        initialInterval = "100ms"
+      }
+    }
+  }
+
+  depends_on = [helm_release.traefik]
+}