What's the best way to secure the responses in a single page web app after logout?

I've read some of the great responses to storing and passing session keys in a single page web application (i.e., a web "site" that runs mostly on the client-side, getting data from the server by using an API). But my question is about securing (after logout) the data which comes back in the response, of which I've seen no mention.

This data is directly accessible by just about any modern browser by clicking on the developer tools view (even when using HTTPS). Thus, the following can happen:

1. Authenticated User (AU) uses the application and downloads secured information.


2. AU logs out or is logged out automatically.


3. Application returns to "Login" page. It looks secured, so AU does not close the tab/page.


4. However, Unauthenticated (malicious) User (UU) sits at desk and opens up Developer tools. In the Network section, UU can see structured JSON objects with lots of juicy information.

This does not happen in a more traditional web application, because the data is embedded in the HTML page, which is gone when the browser redirects to the login page.

We are using AngularJS for our single page web app, which recommends using a location change feature for logout, which I have confirmed does not do an actual redirect (by design); therefore the page is not refreshed; therefore the network requests can be found in the developer section.

It seems that the way to go is to NOT use the AngularJS method, and instead to break the model and to use the pure javascript redirect to refresh the site onto the Login page. This does seem to clear the network requests. Is this the recommended method?

I realize that having access to the browser means that the UU can install keylogging, screen grabbing and all sorts of things that are even worse than this scenario, and there's nothing we can do about that, but the scenario I am describing here is a very common office scenario where casual users can sit down at a browser quickly and spy some info without really doing much work. Given that we're dealing with protected health information, it remains a concern.