Forge: JavaScript Security and Cryptography

Web Applications are quickly becoming the primary way that we work with data and communicate inside and across organizations. At times, it is important that the data and messages that we work with are protected from snooping and modification. Often, we send credit card numbers, e-mail addresses, and other important personal information across the Web. Web Applications communicating with one another have traditionally not had to have very strong protections on data. As more and more of our information is entrusted to Web Applications, it becomes very important to protect that information in a way that is more secure than the current practice on the Web.

The Forge software provides a suite of tools to help Web Applications protect data and perform many common security and cryptography tasks. Forge includes a fully native implementation of the Transport Layer Security protocol in JavaScript as well as a set of tools for developing Web Applications that are cryptographically secure and provide military-grade encryption and protection for data.


  • Storage of debugging information normally inaccessible in closures for viewing/investigation.
  • Utility functions, including byte buffer support, base64, bytes to/from hex, zlib inflate/deflate, etc.
  • Logging to a JavaScript console using various categories and levels of verbosity.
  • Queuing and synchronizing tasks in a web application.
  • Basic AES encryption and decryption in CBC mode.
  • MD5, SHA-1, SHA-256 message digests
  • HMAC support
  • PKCS#5 password-based key-derivation
  • Fortuna-based cryptographically-secure pseudo-random number generator, to be used with a cryptographic function backend, ie: AES.
  • Interface for getting cryptographically-secure bytes using AES as a backend
  • ASN.1 DER encoding and decoding support
  • X.509 certificate and RSA public and private key encoding, decoding, encryption/decryption, and signing/verifying.
  • Native JavaScript client and server-side TLS implementation using WebSockets
  • Interface to create and use raw sockets provided via flash
  • Native javascript mini-implementation of an http client that uses pooled sockets
  • An XmlHttpRequest implementation using Forge’s HTTP implementation as a backend.
  • An Apache module that can serve up a Flash Socket Policy. This module makes it easy to modify an Apache server to allow cross domain requests to be made to it.


You can read more about why this software is necessary in part 1 and part 2 of a series of blog posts that we published on advanced cryptography in the browser.


You can access the source code on github.


We're not around right now. But you can send us an email and we'll get back to you, asap.


© 2021 Digital Bazaar, Inc. All rights reserved.

Log in with your credentials

Forgot your details?