URL Encoding & Decoding: How the Web Safely Transmits Data
How URLs encode data to safely move information across the web
URLs are one of the most fundamental components of the web — yet they have strict rules about which characters are allowed.
URL encoding exists to safely transmit arbitrary data through these constraints without ambiguity or corruption.
What Is URL Encoding?
URL encoding (also called percent-encoding) replaces unsafe characters with a percent sign followed by hex digits.
Space → %20
? → %3F
& → %26Encoded URLs remain valid, unambiguous, and machine-parsable.
Why URL Encoding Exists
URLs have special characters with reserved meanings:
?starts query strings&separates parameters/defines paths
Encoding prevents user input from being misinterpreted as URL syntax.
How URL Encoding Works
Each unsafe character is replaced by:
%HH
Where HH is the hexadecimal ASCII value.
Hello World → Hello%20WorldReserved vs Unreserved Characters
| Type | Examples |
|---|---|
| Unreserved | A-Z a-z 0-9 - _ . ~ |
| Reserved | : / ? # [ ] @ ! $ & ' ( ) * |
URL Encoding in APIs
- Query parameters
- OAuth redirects
- REST API filtering
- Search endpoints
Incorrect encoding is a common cause of broken APIs and security bugs.
Common Mistakes
- Double-encoding values
- Encoding entire URLs instead of components
- Manually encoding strings
- Assuming
+always means space
URL Encoding and Security
Improper encoding can lead to:
- Injection vulnerabilities
- Broken authentication flows
- Open redirect issues
Encoding is not security, but incorrect encoding can break security.
Final Thoughts
URL encoding is a deceptively simple concept with far-reaching consequences.
Mastering it is essential for anyone building web applications, APIs, or distributed systems.
