History Encryption

Protect sensitive data in browser history with encryption.

See also

Official Inertia.js docs: History Encryption

Overview

Inertia v2 supports encrypting page data stored in browser history. This prevents sensitive data from being visible after a user logs out.

How It Works

1. When encryptHistory: true, Inertia encrypts page data using the browser’s Web Crypto API before storing in history

2. A session-specific encryption key is generated client-side

3. When navigating back, data is decrypted automatically

4. Calling clearHistory regenerates the key, invalidating old entries

Enabling Encryption

Per-response:

from litestar_vite.inertia import InertiaResponse

@get("/account", component="Account")
async def account() -> InertiaResponse:
    return InertiaResponse(
        content={"ssn": "123-45-6789", "salary": 100000},
        encrypt_history=True,
    )

Globally:

from litestar_vite.inertia import InertiaConfig

InertiaConfig(
    encrypt_history=True,  # All pages encrypted by default
)

Clearing History

Clear encrypted history during logout to invalidate old entries:

Using the response parameter:

@get("/logout", component="Logout")
async def logout() -> InertiaResponse:
    return InertiaResponse(
        content={},
        clear_history=True,  # Regenerates encryption key
    )

Using the helper function:

from litestar_vite.inertia import clear_history, InertiaRedirect

@post("/logout")
async def logout(request: Request) -> InertiaRedirect:
    request.session.clear()
    clear_history(request)  # Sets flag for next response
    return InertiaRedirect(request, "/login")

The clear_history() helper sets a session flag that’s consumed by the next InertiaResponse.

Logout Flow

Recommended logout pattern:

from litestar_vite.inertia import clear_history, InertiaRedirect

@post("/logout")
async def logout(request: Request) -> InertiaRedirect:
    # 1. Clear server-side session
    request.session.clear()

    # 2. Mark history for clearing
    clear_history(request)

    # 3. Redirect to login
    return InertiaRedirect(request, "/login")

Protocol Response

When history encryption is enabled:

{
  "component": "Account",
  "props": {"ssn": "***"},
  "encryptHistory": true
}

When clearing history:

{
  "component": "Login",
  "props": {},
  "clearHistory": true
}

Browser Requirements

History encryption requires:

• HTTPS in production (Web Crypto API requirement)

• Modern browser with Web Crypto support

Note

In development (HTTP), encryption may be degraded or disabled. Always test with HTTPS for accurate behavior.

Security Considerations

• Encryption happens client-side using browser APIs

• Server never sees the encryption key

• Keys are per-session and stored in memory

• Closing the browser clears the key

• clearHistory forces key regeneration

Best Practices

1. Enable globally for applications with sensitive data

2. Always call clear_history() on logout

3. Use HTTPS in production

4. Don’t rely solely on encryption - also minimize sensitive data in props

See Also

• Redirects - Redirect patterns

• Web Crypto API