Why does the percent sign in a URL cause an HTTP 400 Bad Request error?
Solution 1
Short answer
As per RFC 3986, a bare %
character is not a valid URI syntax; it should be followed by two meaningful hexadecimal digits.
Long answer
The HTTP status code you got belongs to the 4xx
class:
4xx: Client Error - The request contains bad syntax or cannot be fulfilled
Source: Hypertext Transfer Protocol (HTTP) Status Code Registry
In particular, code 400
is defined by the Internet Engineering Task Force (IETF) in RFC 2616:
10.4.1 400 Bad Request
The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.
Quoting Wikipedia (bold emphasis mine):
The characters allowed in a URI are either reserved or unreserved (or a percent character as part of a percent-encoding).
If you want to insert a literal %
symbol, you need to use its percent-encoded representation: %25
.
Further reading
Solution 2
The percent sign is for inserting a character that is normally not supported in the url. For example %20 is the same as a space.
Related videos on Youtube
iglvzx
Email: [email protected] Twitter: @iglvzx LinkedIn: israelgalvez Free Software Foundation Member #9943 Technical Support Hero. Developer behind GWhois.org - the most advanced Whois client in the world! Live, authoritative Whois lookups for domain names and IP addresses, DNS tools, and more!
Updated on September 18, 2022Comments
-
iglvzx over 1 year
I stumbled upon this by accident when mistyping the URL for a web page in my web browser.
Why does visiting
http://example.com/%
cause an HTTP 400 Bad Request error to be thrown? Is the server expecting something else after or before the percent sign?It seems to happen for Apache and Nginx servers.
-
(Server: cloudflare-nginx) https://superuser.com/%
-
(Server: Apache) http://mozilla.org/%
-
-
Robotnik almost 10 yearsAnd to insert a percent character itself, it's
%25
-
Phil Perry almost 10 yearsA
+
is a shortcut way to encode a space. If you want a real plus sign, use its hex code, %2B. -
Eden Townsend almost 10 years+ is the correct encoding for a space only within a query string. %20 is the correct encoding elsewhere within the url.
-
fiffy almost 7 yearsI don't get it. If I mask the '%' sign with '%25' the file will still not be served but an error 400 will be thrown in our scenario (Apache -> JKMount -> Tomcat)
-
Marco Marsala over 4 yearsIf you have the following RewriteRule
RewriteRule (.*) xyz/$1
(where xyz is any folder name) in .htaccess, you should double-encode % as %2525.