Deep explanations of the things our tool handles for you. Aimed at developers and curious readers who want to understand why, not just how. Every guide is a complete standalone reference.
Every character that needs URL encoding, what it becomes, and when you actually need to encode it.
The right function to use in JavaScript, Python, PHP, Java, Go, C#, Ruby, Rust, and shell.
Why character sets matter, what UTF-8 does that ASCII can't, and how to fix garbled text.
The right pattern for encoding query strings, plus the four common mistakes that break URLs.
Ten symptoms of broken URL encoding, what causes each, and how to repair them.
25 answers on percent-decoding — the basics, decoding in JavaScript, Python, Java, and Go, garbled text, double-encoding, and the SEO and security angles.
25 answers on percent-encoding — the basics, encoding in JavaScript, Python, Java, Go, and PHP, %20 vs +, encoding versus HTML and Base64, and the SEO and security angles.
Why a double-encoding loop inflates requests past the limit, the exact Node.js, Nginx, and Apache settings to change, and why Nginx returns 400/414 instead of 431.
Extract and decode percent-encoded request paths from Nginx and Apache access logs with awk, grep, sed, and Python — streaming line by line so huge logs never touch memory.
Read and write URL search params correctly with URLSearchParams — avoiding double-encoding, scroll jumps, and infinite re-render loops in the App Router.
How filter order and hex casing multiply parameter URLs into crawl-budget waste — and the current Google-recommended fixes (robots.txt, canonical, nofollow).
Why "Login with Google/GitHub" flows break on encoding — exact-match redirect_uri failures, corrupted state, double-encoding, and PKCE's base64url requirement.
Why input filters on raw encoded data fail, and how to harden validation: canonicalize first, allowlist over blocklist, and defeat double-encoding evasions.
The modern URLSearchParams approach — get, getAll for repeated keys, decoding, +/space, and converting to an object. With runnable code.
Embedding a URL inside another (redirects, return links) without its ? & # breaking the outer URL — encodeURIComponent and URLSearchParams.
x-www-form-urlencoded vs multipart/form-data, with fetch, Python requests, and cURL — and how to pick between them.
Reading the request path with the WHATWG URL API, raw http, and Express req.path — plus separating path from query and decoding safely.
Encoding a slash inside a segment as %2F without breaking routing, why servers handle %2F inconsistently, and the robust alternative.
urllib.parse — urlparse, parse_qs for query strings, unquote vs unquote_plus, and putting a URL back together.
Parse, don’t regex — URL.canParse in JS, urlparse checks in Python, java.net.URI in Java, plus open-redirect and SSRF cautions.
Reading query, route, and body parameters in Node.js and Express — req.query, req.params, req.body — with decoding and webhook safety.
Stopping ../ path traversal: why decode-then-validate matters, how %2e%2e and double-encoding evade filters, and the canonicalize-first defence.
Getting the host or root domain out of a URL with the parser (not regex) — ports, credentials, subdomains, and the Public Suffix List.
Using rel=canonical to consolidate duplicates from tracking parameters, hex-casing, and trailing slashes — with common mistakes to avoid.
Finding encoding-caused 404s: encoded slashes, double-encoding, unencoded # and spaces, mixed casing — a systematic checklist.
Written and maintained by the urlencodedecode.com team. Every technical claim on this page is verified against primary sources — the RFCs (3986, 3629, 4648, 7578), the WHATWG URL Standard, and official vendor or language documentation — rather than second-hand summaries. When a source contradicts a common assumption, we follow the source and note the discrepancy. Corrections: contactus@urlencodedecode.com.