NC Logo UseToolSuite
Web Security 📖 Pillar Guide

Web Security: Encoding and Hashing Guide

Understand the differences between encoding, hashing, and encryption. Learn when to use Base64, SHA-256, bcrypt, and HTML entity encoding for web security.

Necmeddin Cunedioglu Necmeddin Cunedioglu

Practice what you learn

Base64 Encoder / Decoder

Try it free →

Web Security: Encoding and Hashing Guide

Encoding, hashing, and encryption are three fundamentally different operations that developers frequently confuse. Understanding the difference is critical for building secure applications.

The Three Operations

Encoding — Reversible Format Conversion

Encoding transforms data from one format to another for compatibility, not security. Anyone can decode encoded data without a key.

  • Base64 — Binary-to-text encoding for embedding images, transmitting binary data.
  • URL Encoding — Percent-encoding for safe URL characters.
  • HTML Entities — Character encoding to prevent markup interpretation.

Important: Base64 is NOT encryption. Learn why.

Hashing — One-Way Fingerprint

Hashing produces a fixed-size “fingerprint” from any input. It cannot be reversed.

  • SHA-256 — Data integrity verification, checksums.
  • bcrypt — Password storage (with salt and key stretching).

Generate hashes instantly with our Hash Generator.

Encryption — Reversible with a Key

Encryption transforms data into an unreadable format that can only be decoded with the correct key. It provides confidentiality.

  • AES — Symmetric encryption (same key encrypts and decrypts).
  • RSA — Asymmetric encryption (public key encrypts, private key decrypts).

Quick Comparison

EncodingHashingEncryption
Reversible?✅ Yes (no key needed)❌ No (one-way)✅ Yes (with key)
PurposeFormat compatibilityIntegrity verificationConfidentiality
Security?❌ None⚠️ Partial✅ Full
ExampleBase64, URL encodeSHA-256, bcryptAES, RSA

When to Use What

ScenarioUseTool
Embed image in CSSBase64 encodingBase64 Encoder
Store user passwordsbcrypt hashingLearn bcrypt vs SHA
Verify file integritySHA-256 hashHash Generator
Prevent XSS attacksHTML entity encodingHTML Entity Encoder
Inspect auth tokensJWT decodingJWT Decoder
Build URL query stringsURL encodingURL Encoder

Common Mistakes

Mistake 1: Using Base64 for “Security”

Base64 only changes the format. It provides zero confidentiality. Read more: Base64 is Not Encryption.

Mistake 2: Using SHA-256 for Passwords

SHA-256 is fast — too fast for password storage. An attacker can compute billions of SHA-256 hashes per second. Use bcrypt or Argon2 instead. Read more: bcrypt vs SHA-256.

Mistake 3: Skipping HTML Entity Encoding

Displaying user input without encoding HTML entities enables XSS attacks. Read more: XSS Prevention with HTML Entity Encoding.

Further Reading

Related Tools — Try Them Now

Base64 Encoder / Decoder Encode plain text to Base64 or decode Base64 strings back to text instantly. No data is sent to any server — all encoding and decoding happens locally in your browser.
Hash Generator Generate SHA-1, SHA-256, and SHA-512 cryptographic hashes from any text string. Uses the browser Web Crypto API — your input never leaves your device.
HTML Entity Encoder / Decoder Encode special characters to HTML entities and decode HTML entities back to plain text. Supports named, decimal, and hexadecimal formats — free online tool.
JWT Decoder Decode and inspect JWT tokens online without verification. Instantly view the header, payload claims, and expiration date — all processed locally in your browser.
Necmeddin Cunedioglu
Necmeddin Cunedioglu Author

Software developer and the creator of UseToolSuite. I write about the tools and techniques I use daily as a developer — practical guides based on real experience, not theory.

GitHub LinkedIn
Back to all articles