URL Structure Explained: Query Parameters, Fragments & Encoding

You type URLs into your browser dozens of times a day, click on them in emails and search results, and share them in messages. But have you ever stopped to look at what a URL actually contains? Beyond the familiar domain name, a URL carries structured information that tells your browser exactly where to go, what protocol to use, and what additional data to send. Understanding URL structure is essential for web developers, SEO professionals, API designers, and anyone who works with the web at a technical level.

The Anatomy of a URL

A URL (Uniform Resource Locator) is a string of characters that identifies a resource on the internet. Every URL follows a standard structure defined by RFC 3986, the official specification for URI (Uniform Resource Identifier) syntax. Consider this example URL:

https://www.example.com:443/products/search?q=laptop&sort=price#reviews

This single line contains seven distinct components, each serving a specific purpose. Let us break them down one by one.

Protocol (Scheme)

The protocol appears at the very beginning of the URL, before the colon and double slash. In the example above, it is "https." The protocol tells the browser how to communicate with the server. The most common protocols on the web are HTTP (Hypertext Transfer Protocol) and HTTPS (the secure version that encrypts traffic with TLS). Other protocols you may encounter include FTP for file transfers, mailto for email addresses, and tel for telephone numbers. Modern websites should always use HTTPS. Browsers flag HTTP sites as "not secure," and search engines rank HTTPS pages higher.

Authority (Domain and Port)

The authority component identifies the server that hosts the resource. It typically consists of the domain name and an optional port number. In the example, "www.example.com" is the domain and ":443" is the port. The port tells the browser which communication endpoint to use on the server. Port 443 is the default for HTTPS, and port 80 is the default for HTTP, so they are usually omitted from the URL. You only see explicit port numbers when a service runs on a non-standard port, such as localhost:3000 for a development server.

Subdomains like "www" or "blog" are part of the authority. They can point to different servers or different sections of the same server. From a technical perspective, "blog.example.com" and "www.example.com" are different hosts and can be configured independently.

Path

The path follows the domain and identifies the specific resource on the server. In the example, "/products/search" is the path. Paths are hierarchical, separated by forward slashes. Each segment represents a level in the directory structure, though modern web frameworks often use paths as routing patterns rather than literal file paths. The path "/blog/2026/april" might correspond to a controller action, a database query, or a static file, depending on how the server is configured.

Clean, descriptive paths benefit both users and search engines. A URL like "/products/laptop" is more meaningful than "/p?id=12345". This principle is a cornerstone of SEO and user experience design.

Query Parameters

Query parameters appear after a question mark in the URL. They pass additional information to the server, typically for filtering, sorting, searching, or tracking. In the example, "q=laptop&sort=price" contains two query parameters: "q" with the value "laptop" and "sort" with the value "price." Multiple parameters are separated by ampersands.

Query parameters are key-value pairs. The key identifies what information is being sent, and the value is the data itself. They are used extensively in web applications. Search queries, page numbers in pagination, filter selections, tracking parameters like UTM tags for analytics, and API request parameters all use query strings.

There are a few important rules for query parameters. The question mark that introduces the query string can appear only once in a URL. Everything after the question mark is part of the query. Parameter keys and values must be URL-encoded if they contain special characters. The order of parameters technically does not matter for the server, though some applications are sensitive to parameter order. Duplicate parameter keys are allowed but can cause ambiguous behavior.

For developers building APIs, query parameters are the standard way to pass optional data in GET requests. For example, an API endpoint for retrieving a list of products might accept query parameters for category, price range, and sort order.

Fragments (Hash)

The fragment is the portion of the URL that follows the hash symbol. In the example, "#reviews" is the fragment. Fragments serve a unique role in URL structure: they are processed entirely by the browser and never sent to the server.

The most common use of fragments is to navigate to a specific section within a page. When you click a link with a fragment, the browser scrolls the page to the element with a matching ID. A link to "https://example.com/docs#installation" scrolls the page to the element with id="installation". This is how table of contents links and in-page navigation work.

Fragments are also used in single-page applications (SPAs) for client-side routing. The hash-based routing scheme uses different fragment values to represent different views within the application without triggering a full page reload. Modern SPAs have largely moved to the HTML5 History API for cleaner URLs, but hash routing is still used in some frameworks and legacy applications.

Because fragments are not sent to the server, they have no effect on caching, server-side analytics, or server-side processing. Two URLs that differ only in their fragment (like "/page#section1" and "/page#section2") are considered the same resource by the server and will return the same response.

URL Encoding

URLs can only contain a limited set of characters safely. The ASCII alphanumeric characters, hyphens, underscores, and dots are always safe. But spaces, non-ASCII characters (like accented letters or CJK characters), and reserved characters (like ampersands, question marks, and hash symbols) must be encoded before they can appear in a URL. URL encoding replaces these characters with a percent sign followed by two hexadecimal digits representing the byte value of the character.

For example, a space is encoded as "%20." An ampersand is encoded as "%26." The Chinese characters for "laptop" would be encoded as a series of percent-encoded UTF-8 bytes. This encoding ensures that the URL can be transmitted safely over the internet without ambiguity.

URL encoding applies to different parts of the URL in different ways. Reserved characters like "/", "?", "&", and "#" have special meaning as delimiters and must be encoded when they appear as data within a component. For instance, an ampersand within a query parameter value must be encoded as "%26" to avoid being interpreted as a parameter separator. The URL encoding utility on KnowKit can encode and decode URLs for you, handling all the rules automatically.

A related concept is punycode encoding for internationalized domain names. Domain names can only contain ASCII letters, digits, and hyphens, but the Punycode system allows non-ASCII characters to be represented in ASCII. A domain like "münchen.de" is encoded as "xn--mnchen-3ya.de" behind the scenes. Modern browsers handle this conversion transparently, but developers working with international domains need to be aware of it.

Parsing URLs in Practice

Every major programming language provides built-in URL parsing. In JavaScript, the URL class provides properties for every component: protocol, hostname, port, pathname, searchParams, and hash. The URLSearchParams class makes it easy to manipulate query parameters without manual string manipulation. In Python, the urllib.parse module provides urlparse for breaking URLs into components and urlencode for constructing query strings.

For quick inspection without writing code, you can use the URL parser on KnowKit. Paste any URL and it will decompose it into its components, display the query parameters in a table, decode any percent-encoded characters, and show the fragment separately.

When building web applications, always use your language's standard URL parsing functions rather than writing your own with string splitting or regular expressions. URL parsing has enough edge cases that hand-rolled solutions almost always have bugs. The standard libraries handle these edge cases correctly and are tested against real-world URLs.

URLs and SEO

Search engines use URLs as a ranking signal. Clean, descriptive URLs that include relevant keywords tend to rank better than opaque URLs full of parameters and random identifiers. Best practices for SEO-friendly URLs include using lowercase letters (some servers treat uppercase and lowercase paths differently), separating words with hyphens rather than underscores, keeping URLs concise and descriptive, avoiding unnecessary query parameters, using canonical tags when multiple URLs lead to the same content, and ensuring URLs are stable over time to preserve accumulated link equity.

Query parameters can create duplicate content issues for search engines. The URLs "/products?sort=price" and "/products?sort=name" may return the same products in a different order, which search engines might treat as duplicate pages. Using canonical tags or the robots meta tag helps manage this.

Security Considerations

URLs can be a vector for security attacks if not handled carefully. Open redirect vulnerabilities occur when an application redirects users to a URL taken from a query parameter without validating it first. An attacker could craft a link to your site that redirects to a phishing page. SQL injection can occur when URL parameters are directly concatenated into database queries. Cross-site scripting (XSS) can happen when URL parameters are reflected in the page without sanitization.

Always validate and sanitize URL parameters on the server side. Never trust data from the URL, even if it appears to come from your own application. Use parameterized queries for database access. Encode output that originates from URL parameters before inserting it into HTML. These practices prevent the most common web security vulnerabilities.

Understanding URL structure is foundational knowledge for anyone who works with the web. Whether you are debugging a broken link, designing an API, optimizing for search engines, or securing an application, knowing how URLs are constructed and parsed will help you work more effectively and avoid common mistakes.