You're viewing the Inertia.js v2.0 documentation. Upgrade guide →

History encryption

Imagine a sceniario where your user is authenticated, browses priveleged information on your site, then logs out. If they press the back button, they can still see the priveleged information that is stored in the window's history state. This is a security risk. To prevent this, Inertia.js provides a history encryption feature.

How it works

When you instruct Inertia to encrypt your app's history, it uses the browser's built-in crypto api to encrypt the current page's data before pushing it to the history state. We store the corresponding key in the browser's session storage. When the user navigates back to a page, we decrypt the data using the key stored in the session storage.

Once you instruct Inertia to clear your history state, we simply clear the existing key from session storage roll a new one. If we attempt to decrypt the history state with the new key, it will fail and Inertia will make a fresh request back to your server for the page data.

History encryption relies on window.crypto.subtle which is only available in secure environments (sites with SSL enabled).

Opting in

History encryption is an opt-in feature. There are several methods for enabling it:

Global encryption

If you'd like to enable history encryption globally, set the inertia.history.encrypt config value to true.

You are able to opt out of encryption on specific pages by calling the encryptHistory method before returning the response:

Inertia::encryptHistory(false);

Per-request encryption

To encrypt the history of an individual request, simply cal the encryptHistory method before returning the response:

Inertia::encryptHistory();

Encrypt middleware

To encrypt a group of routes, Inertia provides the EncryptHistoryMiddleware as a convenience.

Route::middleware([Inertia\EncryptHistoryMiddleware::class])->get('/', function() {
    //
});

Route::middleware(['inertia::encrypt'])->get('/', function() {
    //
});

Clearing history

To clear the history state, you can call the clearHistory method before returning the response:

Inertia::clearHistory();

Once the response has rendered on the client, the encryption key will be rotated, rendering the previous history state unreadable.

You can also clear history on the client site by calling router.clearHistory().