Web Crypto API Support for Browser-Side Encryption

Web Crypto API Detection

The Web Cryptography API provides a set of low-level cryptographic primitives for key generation, encryption, decryption, signing, and hashing, all running natively in the browser without external libraries.

Detection

const hasWebCrypto = !!(window.crypto && window.crypto.subtle);

Available Operations

function checkCryptoCapabilities() {
  const subtle = window.crypto?.subtle;
  if (!subtle) return null;
  return {
    encrypt: typeof subtle.encrypt === 'function',
    decrypt: typeof subtle.decrypt === 'function',
    sign: typeof subtle.sign === 'function',
    verify: typeof subtle.verify === 'function',
    digest: typeof subtle.digest === 'function',
    generateKey: typeof subtle.generateKey === 'function',
    deriveKey: typeof subtle.deriveKey === 'function',
    importKey: typeof subtle.importKey === 'function',
    exportKey: typeof subtle.exportKey === 'function',
  };
}

Common Algorithms

Operation	Algorithm	Use Case
Hashing	SHA-256, SHA-512	Data integrity, checksums
Encryption	AES-GCM, AES-CBC	Data protection
Signing	RSA-PSS, ECDSA	Authentication, JWT
Key exchange	ECDH	Secure key agreement
Key derivation	PBKDF2, HKDF	Password-based keys

Security Requirements

• HTTPS only: crypto.subtle is only available in secure contexts
• Non-extractable keys: Keys can be marked as non-extractable, preventing JavaScript from reading the raw key material
• No MD5/SHA-1: The API intentionally omits insecure algorithms

Example: SHA-256 Hash

async function sha256(message) {
  const encoder = new TextEncoder();
  const data = encoder.encode(message);
  const hash = await crypto.subtle.digest('SHA-256', data);
  return Array.from(new Uint8Array(hash))
    .map(b => b.toString(16).padStart(2, '0'))
    .join('');
}