In this episode, we tackle a pretty common security issue with single page applications like those built with Inertia. If you've ever noticed that after logging out, hitting the browser back button sometimes reveals sensitive information, you're not alone—this is exactly what we set out to solve today by using the history encryption API.
We start by demonstrating the problem: logging in, viewing a 'secret' value on the dashboard, logging out, and then hitting the back button. As expected, the dashboard reappears with the data still visible, even though we've logged out. A refresh does correct this (redirecting to the login page), but the back button issue remains due to how Inertia manages browser history.
Then, we walk through enabling the history encryption API in the Inertia config file by flipping the history_encrypt
option to true. It's worth noting you need to be running on HTTPS for this feature to work, as the related browser API requires it. Simply enabling the config isn't enough: you also need to clear Inertia's history when the user signs out, which we set up in the logout controller. After doing this and logging out, hitting back now properly redirects us to the login page—no more exposing sensitive data!
Towards the end, we cover some advanced usage. You can enable or disable history encryption on a per-route basis instead of globally, using either code or middleware. This gives you flexibility if only some pages contain sensitive information.
Overall, by the end of the episode, we've solved the issue of leaking sensitive data through browser history and learned how to configure and adjust Inertia's history encryption settings depending on your needs.