A Uniform Resource Locator (URL) – informally called a web address – specifies the location of a resource on the internet.

Understanding how browsers and web-servers treat URLs is key to securing your website. A URL will typically have the following form:

http:// hacksplaining.com /glossary/urls ?ref=google&top=Y #details
Protocol Domain Path Query String URI Fragment
  • The protocol dictates whether HTTP requests and responses are sent as plain text or encrypted en route.

  • The domain dictates the server the request is sent to. It is converted to an IP address following a lookup on the Domain Name System. The domain is the only part of an HTTPS request that is not encrypted.

  • The path tells the server which resource is being accessed. It frequently (but not always) corresponds to a path on disk, accessible to the web server.

  • The (optional) query string contains non-hierarchical data, usually defined as key-value attribute pairs.

  • The (optional) URI fragment is not included in HTTP requests by browser, but can be updated and read in JavaScript.