I am writing a login for a forum, and need to hash the password client side in javascript before sending it on to the server. I'm having trouble figuring out which SHA-256 implementation I can actually trust. I was expecting there to be some kind of authoritative script that everyone used, but I'm finding loads of different projects all with their own implementations.
I realize using other people's crypto is always a leap of faith unless you're qualified to review it yourself, and that there is no universal definition of "trustworthy", but this seems like something common and important enough that there ought to be some kind of consensus on what to use. Am I just naive?
Edit since it comes up a lot in the comments: Yes, we do a more stringent hash again on the server side. The client side hashing is not the final result that we save in the database. The client side hashing is because the human client requests it. They have not given a specific reason why, probably they just like overkill.
Most modern browsers now support crypto operations natively. See https://developer.mozilla.org/en-US/docs/Web/API/Crypto.
The fundamental principle is that you (at the server end) have to assume that everything happening on the client side may be malicious, and may not even be running your code at all. If your crypto operations are meant to protect the user's data from a third-party's discovery or interference, the appropriate crypto layer to use is TLS rather than rolling your own in the client.
Sending sensitive data over TLS does not require additional crypto in transit beyond that provided transparently by TLS for compliance with any laws or best practices. If you're sending sensitive data, send it over TLS. From your application's perspective this will look like plain-text, but that's entirely appropriate and merely a reflection of the level of abstraction of the encryption, not the level of security it provides. Just because a security mechanism feels simple to use doesn't mean the protections it provides are simplistic.
And don't say: "I'm already using TLS, but I'm making it BETTER by doing client-side as well." Complicating your application with more security-adjacent components doesn't add security. Instead, you're sacrificing true long-term security in order to feel like you're doing more.
The context specified for this question is exactly the wrong place to do client-side crypto. There's a good reason why major tech companies never do what this question suggests, and they're successfully fending off nation-state level attackers.
The case where client-side browser crypto is appropriate is when the client is considered stand-alone and the user's protection is not expected to be guarded by the server operator. This is an exceptionally rare situation, but shows up in things like offline web applications.