Why does the percent sign in a URL cause an HTTP 400 Bad Request error


I stumbled upon this by accident when mistyping the URL for a web page in my web browser.

Why does visiting http://example.com/% cause an HTTP 400 Bad Request error to be thrown? Is the server expecting something else after or before the percent sign?

It seems to happen for Apache and Nginx servers.

Best Answer

Short answer

As per RFC 3986, a bare % character is not a valid URI syntax; it should be followed by two meaningful hexadecimal digits.

Long answer

The HTTP status code you got belongs to the 4xx class:

4xx: Client Error - The request contains bad syntax or cannot be fulfilled

Source: Hypertext Transfer Protocol (HTTP) Status Code Registry

In particular, code 400 is defined by the Internet Engineering Task Force (IETF) in RFC 2616:

10.4.1 400 Bad Request

The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.

Source: RFC 2616 - Hypertext Transfer Protocol -- HTTP/1.1

Quoting Wikipedia (bold emphasis mine):

The characters allowed in a URI are either reserved or unreserved (or a percent character as part of a percent-encoding).

Source: Percent-encoding - Percent-encoding in a URI

If you want to insert a literal % symbol, you need to use its percent-encoded representation: %25.

Further reading