Guides

Practical guides to URL encoding.

Deep explanations of the things our tool handles for you. Aimed at developers and curious readers who want to understand why, not just how. Every guide is a complete standalone reference.

Reference

URL reserved characters — the complete table

Every character that needs URL encoding, what it becomes, and when you actually need to encode it.

By language

URL encoding in every programming language

The right function to use in JavaScript, Python, PHP, Java, Go, C#, Ruby, Rust, and shell.

Charsets

UTF-8 vs ASCII URL encoding

Why character sets matter, what UTF-8 does that ASCII can't, and how to fix garbled text.

How to

How to URL-encode query parameters

The right pattern for encoding query strings, plus the four common mistakes that break URLs.

Troubleshooting

Fix broken URL encoding

Ten symptoms of broken URL encoding, what causes each, and how to repair them.

FAQ

URL decoding FAQ

25 answers on percent-decoding — the basics, decoding in JavaScript, Python, Java, and Go, garbled text, double-encoding, and the SEO and security angles.

FAQ

URL encoding FAQ

25 answers on percent-encoding — the basics, encoding in JavaScript, Python, Java, Go, and PHP, %20 vs +, encoding versus HTML and Base64, and the SEO and security angles.

Troubleshooting

Fix HTTP 431 (headers too large)

Why a double-encoding loop inflates requests past the limit, the exact Node.js, Nginx, and Apache settings to change, and why Nginx returns 400/414 instead of 431.

Data engineering

Parsing encoded URLs from server logs

Extract and decode percent-encoded request paths from Nginx and Apache access logs with awk, grep, sed, and Python — streaming line by line so huge logs never touch memory.

Frontend routing

Query params in React & Next.js

Read and write URL search params correctly with URLSearchParams — avoiding double-encoding, scroll jumps, and infinite re-render loops in the App Router.

Technical SEO

Faceted navigation & crawl budget

How filter order and hex casing multiply parameter URLs into crawl-budget waste — and the current Google-recommended fixes (robots.txt, canonical, nofollow).

Authorization

OAuth 2.0 redirect_uri & state encoding

Why "Login with Google/GitHub" flows break on encoding — exact-match redirect_uri failures, corrupted state, double-encoding, and PKCE's base64url requirement.

Security

Decode-then-validate input hardening

Why input filters on raw encoded data fail, and how to harden validation: canonicalize first, allowlist over blocklist, and defeat double-encoding evasions.

JavaScript

How to parse a query string in JavaScript

The modern URLSearchParams approach — get, getAll for repeated keys, decoding, +/space, and converting to an object. With runnable code.

Redirects

How to pass a URL as a query parameter

Embedding a URL inside another (redirects, return links) without its ? & # breaking the outer URL — encodeURIComponent and URLSearchParams.

HTTP

How to send form data via a POST request

x-www-form-urlencoded vs multipart/form-data, with fetch, Python requests, and cURL — and how to pick between them.

Node.js

How to get the current URL path in Node.js

Reading the request path with the WHATWG URL API, raw http, and Express req.path — plus separating path from query and decoding safely.

Paths

How to escape a forward slash in a URL path

Encoding a slash inside a segment as %2F without breaking routing, why servers handle %2F inconsistently, and the robust alternative.

Python

How to split a URL into parts in Python 3

urllib.parse — urlparse, parse_qs for query strings, unquote vs unquote_plus, and putting a URL back together.

Validation

How to validate a URL programmatically

Parse, don’t regex — URL.canParse in JS, urlparse checks in Python, java.net.URI in Java, plus open-redirect and SSRF cautions.

Node.js

How to capture incoming HTTP request parameters

Reading query, route, and body parameters in Node.js and Express — req.query, req.params, req.body — with decoding and webhook safety.

Security

How to prevent directory traversal attacks

Stopping ../ path traversal: why decode-then-validate matters, how %2e%2e and double-encoding evade filters, and the canonicalize-first defence.

Parsing

How to extract the hostname from a URL

Getting the host or root domain out of a URL with the parser (not regex) — ports, credentials, subdomains, and the Public Suffix List.

SEO

How to set a canonical URL

Using rel=canonical to consolidate duplicates from tracking parameters, hex-casing, and trailing slashes — with common mistakes to avoid.

Debugging

How to debug a 404 from bad URL parameters

Finding encoding-caused 404s: encoded slashes, double-encoding, unencoded # and spaces, mixed casing — a systematic checklist.

About this page

Written and maintained by the urlencodedecode.com team. Every technical claim on this page is verified against primary sources — the RFCs (3986, 3629, 4648, 7578), the WHATWG URL Standard, and official vendor or language documentation — rather than second-hand summaries. When a source contradicts a common assumption, we follow the source and note the discrepancy. Corrections: contactus@urlencodedecode.com.