I stumbled upon this by accident when mistyping the URL for a web page in my web browser.

Why does visiting http://example.com/% cause an HTTP 400 Bad Request error to be thrown? Is the server expecting something else after or before the percent sign?

It seems to happen for Apache and Nginx servers.

(Server: cloudflare-nginx) https://superuser.com/%
(Server: Apache) http://mozilla.org/%

iglvzx

Posted 2014-05-28T23:01:19.650

Reputation: 21 611

20 http://superuser.com/%71%75%65%73%74%69%6f%6e%73%2f%37%35%39%39%35%39%2f%77%68%79%2d%64%6f%65%73%2d%74%68%65%2d%70%65%72%63%65%6e%74%2d%73%69%67%6e%2d%69%6e%2d%61%2d%75%72%6c%2d%63%61%75%73%65%2d%61%6e%2d%68%74%74%70%2d%34%30%30%2d%62%61%64%2d%72%65%71%75%65%73%74%2d%65%72%72%6f%72 works just fine! – Nick T – 2014-05-29T05:04:21.000

Answers

Short answer

As per RFC 3986, a bare % character is not a valid URI syntax; it should be followed by two meaningful hexadecimal digits.

Long answer

The HTTP status code you got belongs to the 4xx class:

4xx: Client Error - The request contains bad syntax or cannot be fulfilled

_{Source: Hypertext Transfer Protocol (HTTP) Status Code Registry}

In particular, code 400 is defined by the Internet Engineering Task Force (IETF) in RFC 2616:

10.4.1 400 Bad Request

The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.

_{Source: RFC 2616 - Hypertext Transfer Protocol -- HTTP/1.1}

Quoting Wikipedia (bold emphasis mine):

The characters allowed in a URI are either reserved or unreserved (or a percent character as part of a percent-encoding).

_{Source: Percent-encoding - Percent-encoding in a URI}

If you want to insert a literal % symbol, you need to use its percent-encoded representation: %25.

Why does the percent sign in a URL cause an HTTP 400 Bad Request error?

Answers

Short answer

Long answer

Further reading