Clear browser history after user logout. Login as admin, go to admin page, logout, login as normal user, hit back button two times. You will end up hitting the admin page which may have sensitive data.
As it's not possible to clean-up browser history programmatically, a solution is to disable cache of HTML pages. HTTP header is "Cache-Control "must-revalidate". Note that WS and assets (images, CSS) should still be cached.