Introduction

Generating a hash from a string in JavaScript usually means computing a digest such as SHA-256. The best implementation depends on the environment: in browsers, the standard tool is the Web Crypto API, while in Node.js you typically use the built-in crypto module.

Use the Web Crypto API in the Browser

Modern browsers expose crypto.subtle.digest(...) for hashing.

1async function sha256Hex(text) {
2  const data = new TextEncoder().encode(text);
3  const hashBuffer = await crypto.subtle.digest('SHA-256', data);
4  const hashArray = Array.from(new Uint8Array(hashBuffer));
5  return hashArray.map(byte => byte.toString(16).padStart(2, '0')).join('');
6}
7
8sha256Hex('hello').then(console.log);

This returns a hexadecimal SHA-256 digest of the input string. The API is asynchronous because cryptographic work is handled through browser crypto primitives rather than simple synchronous string helpers.

Use Node.js crypto on the Server

In Node.js, the equivalent pattern uses the built-in crypto module.

1const crypto = require('crypto');
2
3function sha256Hex(text) {
4  return crypto
5    .createHash('sha256')
6    .update(text, 'utf8')
7    .digest('hex');
8}
9
10console.log(sha256Hex('hello'));

This is the usual choice for server-side hashing tasks such as cache keys, integrity checks, or content fingerprints.

Know What Hashing Is Good For

A hash function is deterministic: the same input gives the same output every time. Good cryptographic hashes are also designed so that the original input cannot feasibly be reconstructed from the digest, and small input changes produce very different outputs.

That makes hashes useful for:

• integrity checks
• deterministic identifiers
• deduplication fingerprints
• signatures and verification workflows

It does not automatically make them the right tool for every security problem.

Hashing Passwords Is a Different Problem

One of the most important distinctions is that plain SHA-256 is not a safe password-storage strategy by itself. Password storage should use a password-hashing algorithm designed to be slow and expensive, such as Argon2, bcrypt, or PBKDF2.

So if the real requirement is "hash a password," the correct answer is usually not "use SHA-256 in JavaScript." It is "use an appropriate password-hashing system on the server side." That is a different security goal from hashing a string for integrity or key generation.

Encodings and Output Formats Matter

Hashes operate on bytes, not on abstract strings. That is why the examples explicitly encode the string as UTF-8 before hashing it. If two systems do not encode the input the same way, they may produce different digests for visually identical text.

The output format also matters. Hex is common because it is easy to log and transmit, but some workflows use Base64 instead.

Browser-side Web Crypto hashing also depends on running in a secure context in normal web deployments. If crypto.subtle appears missing, check the execution environment before assuming the code is wrong. That environment requirement is easy to forget during quick experiments.

If the use case involves authenticity rather than just integrity, a plain hash may not be enough. In those cases, keyed constructions such as HMAC are often the more appropriate primitive.

Common Pitfalls

Using ad hoc "hash" snippets from old blog posts often produces weak, non-cryptographic hashes that are unsuitable for security-sensitive tasks.

Treating plain SHA-256 as a password-hashing solution is a serious security mistake.

Ignoring string encoding can make cross-platform hash comparisons fail unexpectedly.

Summary

• In browsers, use the Web Crypto API to hash strings.
• In Node.js, use the built-in crypto module.
• Understand whether you need a general-purpose digest or a password-hashing algorithm.
• Be explicit about input encoding and output format so hashes are reproducible across systems.