AES itself only defines how to encrypt a single 16-byte block. To encrypt anything larger, you need a “mode of operation” that describes how successive blocks relate to each other. CBC and GCM are two of the most common modes, and picking between them isn't just a performance choice — it changes what security guarantees you actually get.
Cipher Block Chaining XORs each plaintext block with the previous ciphertext block before encrypting it, using a random initialization vector (IV) to seed the first block. This hides patterns in the plaintext well, but CBC provides no way to detect tampering — an attacker can flip bits in the ciphertext and, depending on how the application handles the result, sometimes cause predictable changes in the decrypted plaintext without ever needing the key. Without a separate authentication step (like HMAC, applied correctly — a pattern called encrypt-then-MAC), a system using CBC alone has no way to tell legitimate ciphertext from tampered ciphertext.
Galois/Counter Mode combines encryption with a built-in authentication tag, so decryption fails loudly if even a single bit of the ciphertext has been altered. This class of construction is called authenticated encryption (AEAD), and it removes an entire category of implementation mistakes: there's no separate MAC step to forget, get the order of, or implement incorrectly. GCM is also a stream-cipher-style mode built on a counter, which makes it parallelizable and generally faster than CBC on modern hardware with AES-NI instruction support.
GCM's security depends entirely on never reusing the same key/IV (nonce) pair. Reuse it once, and an attacker can recover the authentication key and forge messages — a much more severe failure than what happens if a CBC IV is reused. In practice this means always generating a fresh, random 96-bit IV per encryption operation, which is exactly what the Web Crypto API does automatically when you don't supply one yourself.
For new work, default to AES-GCM. It gives you tamper detection for free, it's faster on modern CPUs, and it removes the “did I implement the MAC correctly” failure mode entirely. CBC is still fine when you're working with a system or library that only supports it and you pair it correctly with a MAC — but for anything greenfield, there's little reason to reach for it over GCM.
The Encrypt / Decrypt tool on this site supports both AES-256-CBC and AES-256-GCM, generating a fresh IV for every operation.