You're viewing the Inertia.js v2.0 documentation. Upgrade guide →
Imagine a sceniario where your user is authenticated, browses priveleged information on your site, then logs out. If they press the back button, they can still see the priveleged information that is stored in the window's history state. This is a security risk. To prevent this, Inertia.js provides a history encryption feature.
When you instruct Inertia to encrypt your app's history, it uses the browser's built-in crypto
api to encrypt the current page's data before pushing it to the history state. We store the corresponding key in the browser's session storage. When the user navigates back to a page, we decrypt the data using the key stored in the session storage.
Once you instruct Inertia to clear your history state, we simply clear the existing key from session storage roll a new one. If we attempt to decrypt the history state with the new key, it will fail and Inertia will make a fresh request back to your server for the page data.
window.crypto.subtle
which is only available in secure environments (sites with SSL enabled).History encryption is an opt-in feature. There are several methods for enabling it:
If you'd like to enable history encryption globally, set the inertia.history.encrypt
config value to true
.
You are able to opt out of encryption on specific pages by calling the encryptHistory
method before returning the response:
Inertia::encryptHistory(false);
To encrypt the history of an individual request, simply cal the encryptHistory
method before returning the response:
Inertia::encryptHistory();
To encrypt a group of routes, Inertia provides the EncryptHistoryMiddleware
as a convenience.
Route::middleware([Inertia\EncryptHistoryMiddleware::class])->get('/', function() {
//
});
Route::middleware(['inertia::encrypt'])->get('/', function() {
//
});
To clear the history state, you can call the clearHistory
method before returning the response:
Inertia::clearHistory();
Once the response has rendered on the client, the encryption key will be rotated, rendering the previous history state unreadable.
You can also clear history on the client site by calling router.clearHistory()
.