Paths

How to escape a forward slash in a URL path.

A slash inside a path value — like a date 2026/07 or a file path used as an ID — must become %2F so it isn’t read as a path separator. But encode the whole path and you break routing. Here’s the difference, and how servers actually treat %2F.

Encode the segment, not the path

The slash / is the path separator. When a slash is part of a value inside a segment (not structure), encode just that value with encodeURIComponent — which turns / into %2F:

const id = 'folder/report';           // a slash that's DATA, not structure
const path = '/files/' + encodeURIComponent(id);
// "/files/folder%2Freport"  ← the inner slash is now %2F, one segment

Never run the whole path through encodeURIComponent — it encodes the structural slashes too and produces a broken path:

// WRONG
encodeURIComponent('/files/folder/report');
// "%2Ffiles%2Ffolder%2Freport"  ← every slash gone; not a usable path

The catch: servers treat %2F specially

Here’s the part most guides miss. Even correctly encoded, %2F in a path is handled inconsistently by servers and proxies:

Because behaviour varies (Nginx, Apache, and cloud gateways each differ, and several have a specific setting for it), you must test against your own stack rather than assume.

The robust alternative: use the query string

If a value naturally contains slashes, the most portable option is to pass it as a query parameter instead of a path segment — slashes are far less fraught there:

// Instead of  /files/folder%2Freport
// Prefer      /files?id=folder%2Freport   (or even a plain ?id=folder/report)
const url = new URL('https://api.example.com/files');
url.searchParams.set('id', 'folder/report');
// https://api.example.com/files?id=folder%2Freport

Why %20 not + here

While we’re in path territory: a space in a path segment is %20, never +. The +-means-space rule only applies to query strings. encodeURIComponent already does the right thing (space → %20).

Our path encoder is slash-aware: it encodes the contents of each segment while leaving the structural slashes intact, so you can see exactly what a safe encoded path looks like.

About this page

Written and maintained by the urlencodedecode.com team. Every technical claim on this page is verified against primary sources — the RFCs (3986, 3629, 4648, 7578), the WHATWG URL Standard, and official vendor or language documentation — rather than second-hand summaries. When a source contradicts a common assumption, we follow the source and note the discrepancy. Corrections: contactus@urlencodedecode.com.

Common questions

Frequently asked.

Encode the value containing the slash with encodeURIComponent, which turns / into %2F. Encode only the individual segment or value, not the whole path — running the entire path through encodeURIComponent turns the structural slashes into %2F too and breaks routing.

Many web servers and reverse proxies reject or specially handle %2F in a path by default as a defence against path-traversal attacks. Some decode it back to a real slash before your app sees it. Behaviour varies by server, so test against your own stack or pass the value in the query string instead.

A forward slash encodes to %2F (percent sign, then the hex bytes 2F). It only needs encoding when the slash is data inside a segment; as a path separator it stays a literal /.

If the value naturally contains slashes, the query string is more portable — servers handle %2F inconsistently in the path but reliably in the query. Use ?id=folder%2Freport rather than /folder%2Freport when you can.

In a path, a space is %20. The +-means-space convention only applies to query strings (form-encoding). encodeURIComponent correctly produces %20 for a space.

Related

Keep exploring.