Soon we can properly sign HTTP requests using DNS for the PKI. Stuff like SRI inside HTML is paving the road to allow verification of hashes transmitted via header for the main page request, including a signature of that hash and url or such.

Sort of similar to how linux package managers employ GPG and package mirrors.

Or maybe we can provide caching based on signed-exchange.