What's the difference between %20 and + for a space?

Both represent a space, but in different contexts. %20 is the correct percent-encoded form for spaces in a URL path or query string. The + symbol represents a space specifically in HTML form data

Should I encode the entire URL or just parts of it?

Encode the components — specifically the values of query parameters, dynamic path segments, or any portion containing user-generated or special character content. Encoding an already-formed complete URL can double-encode characters, which breaks things. Build your URL by encoding each value individually, then assemble the full URL around them.

What is double encoding and why does it matter?

Double encoding occurs when an already-encoded string gets encoded a second time. %20 becomes %2520 because % itself encodes as %25. This is not just annoying — servers that decode twice can be tricked into processing characters that should have been blocked, making double encoding a known web security vulnerability. Encode exactly once, at the right stage.

Does URL encoding affect SEO?

It can. Search engines generally prefer clean, readable URLs with actual words over chains of percent-encoded characters. If your URL contains encoded characters that could instead be expressed as readable Unicode slugs, the human-readable version tends to perform better in both rankings and click-through rates. That said, a correctly encoded URL always beats a broken one

Is URL encoding the same as HTML encoding?

No — related but distinct. HTML encoding converts characters like <, >, and & into HTML entities (<, >, &) to prevent them from being interpreted as markup. URL encoding converts characters into percent notation for safe URL transmission. Both are necessary in web development, and applying the wrong one in the wrong place is a common source of XSS (cross-site scripting) vulnerabilities.

What happens if I forget to encode a URL parameter?

At best, your request fails or returns unexpected results. At worst, unencoded characters corrupt your URL structure or create exploitable security gaps. A user-submitted value containing & could prematurely end one parameter and inject a fraudulent one — a technique known as HTTP parameter pollution. Always encode before you transmit.

URL Encode – Free Online URL Encoding Tool

What is URL Encode?

URL encoding — also called percent-encoding — is the process of converting characters into a format that can be safely transmitted over the internet via a URL (Uniform Resource Locator).
URLs can only be sent over the internet using a specific set of ASCII characters. But the real world is messier than that. People type spaces, ampersands, question marks, hash symbols, accented letters, Arabic script, emoji, and all manner of characters that have special meaning inside a URL — or simply aren't allowed in one at all.
URL encode solves this by replacing unsafe or reserved characters with a % sign followed by a two-digit hexadecimal code representing that character's ASCII value. A space becomes %20, an @ becomes %40, a / becomes %2F, and so on.
The result is a URL that looks a little strange to human eyes but is perfectly unambiguous to every browser, server, and web application handling it.
Characters in a URL fall into three distinct buckets:
Unreserved characters — Letters (A–Z, a–z), digits (0–9), and the symbols -, _, ., ~ pass through a URL completely untouched.
Reserved characters — Symbols like ?, &, =, /, #, and : carry specific structural meaning. They separate domains from paths, paths from query parameters, and parameters from each other. If your actual data contains any of these, they must be encoded — otherwise the URL breaks apart in the wrong places.
Unsafe characters — Spaces, quotation marks, <, >, {, }, and others that are either disallowed outright or likely to be corrupted by browsers, proxies, or servers mid-transmission.

How to Use URL Encode

Identify characters that need encoding

Scan your string for anything that isn't a standard unreserved ASCII character — spaces, punctuation, special symbols, and any non-ASCII characters like accented letters, non-Latin scripts, or emoji.

Convert to UTF-8 bytes.

For non-ASCII characters especially, the character is first expressed as its UTF-8 byte sequence. URL encoding operates at the byte level, not the character level — an important distinction.

Apply percent-encoding.

Each byte that requires encoding is written as %XX, where XX is the uppercase hexadecimal value of that byte. A space (ASCII 32, hex 20) becomes %20. The euro sign € becomes %E2%82%AC — three separate bytes, each encoded individually.

Assemble the final string.

Unreserved characters pass through unchanged; everything else is replaced with its percent-encoded equivalent. The result is a clean, transmission-safe URL.

Why Use URL Encode?

This is where it gets practical. URL encoding isn't just a technical formality — skipping it causes real, often frustrating problems.

It prevents broken links. A URL containing an unencoded space or special character can silently fail. A filename like My Report (Final).pdf served without encoding becomes My%20Report%20%28Final%29.pdf — without that transformation, many servers return a 404.

It protects query parameter integrity. If a user submits a form value containing &, an unencoded URL will treat it as a parameter separator, silently splitting your data in two. Encoding locks the value in safely.

It enables international content. Non-Latin scripts — Arabic, Chinese, Japanese, Cyrillic — are not natively supported in URLs as-is. UTF-8 percent-encoding makes the global web genuinely global, allowing any language to appear in a URL path or query string.

It's essential for API reliability. Query parameters in API calls frequently contain user-generated content. Properly encoding these values prevents malformed requests, server errors, and subtle data corruption that can be nightmarish to debug.

It protects authentication flows. OAuth redirect URIs, tokens, and state parameters passed through URLs require precise encoding. A single unencoded = or & can collapse an entire authentication chain, locking users out completely.

It's a security requirement. Unencoded URLs are a vector for parameter pollution attacks — where a user-supplied value containing &key=value injects unauthorized parameters into your request. Encoding neutralizes this at the source.