When a production webhook fails, it’s rarely because the server was down—it’s usually a malformed URL. I’ve chased bugs where a missing slash turned a POST into a 404, or a query string got double-encoded and broke signature verification. That’s why I take Node.js’s URL class seriously: it gives you a standards-based, predictable way to parse and construct URLs instead of improvising with string splits. If you handle redirects, callbacks, multi-tenant routing, or any kind of user-provided link, you need that predictability.
I’ll walk through how new URL() actually behaves, how it resolves relative inputs against a base, how to safely mutate components, and how to avoid silent errors that appear only under edge-case traffic. I’ll also show patterns I use in 2026-era services: validation with schema tooling, URL-safe logging, and guardrails for SSRF and open redirects. You’ll leave with a practical mental model, runnable examples, and a set of do’s and don’ts you can apply immediately.
The mental model I use for new URL()
The URL class in Node.js follows the WHATWG URL standard. I treat it like a browser-grade URL parser with reliable getters and setters. When you call new URL(input[, base]), it doesn’t just split a string—it builds a structured object with normalized fields. I’ve learned to think of it as a URL “constructor” that always yields a fully-qualified URL, or throws if it can’t. That “throws if it can’t” is important; it forces you to handle invalid inputs instead of letting bad URLs slip through.
A few key rules I keep in mind:
- If
inputis absolute (includes a scheme likehttps:), thebaseis ignored. - If
inputis relative, thebaseis required and used for resolution. - The resulting
URLobject exposeshref,origin,protocol,hostname,port,pathname,search,searchParams, andhash. - Setting those properties updates the URL consistently; you’re not fighting manual string joins.
This makes the URL class ideal for routing, signing, logging, and safely building links. It’s also a better long-term choice than url.parse() from the legacy API, which uses a looser, less standardized parser.
Creating URLs: absolute vs relative inputs
I start with clear examples because the base-resolution behavior is where most confusion happens. Here’s a runnable snippet you can drop into index.js.
const { URL } = require(‘url‘);
// Absolute URL: base is ignored
const absolute = new URL(‘https://api.example.com/v1/users?role=admin#top‘);
console.log(absolute.href);
// Relative URL: base is required
const relative = new URL(‘/v1/users‘, ‘https://api.example.com‘);
console.log(relative.href);
// Relative with path traversal
const normalized = new URL(‘../billing/invoices‘, ‘https://api.example.com/v1/users/123/‘);
console.log(normalized.href);
Output (conceptually):
https://api.example.com/v1/users?role=admin#tophttps://api.example.com/v1/usershttps://api.example.com/v1/billing/invoices
When I’m building links in a service, I always pass an explicit base because it forces the URL into a normalized, absolute form. That normalization alone prevents a class of bugs where accidental relative URLs leak into logs or headers.
The parts you can safely read and mutate
Once you have a URL instance, you can read and mutate properties. I like to treat it as a mutable builder that stays valid. Here’s a small helper I use when I need to enrich URLs before redirecting a user.
const { URL } = require(‘url‘);
function addTracking(originalUrl, campaignId) {
const u = new URL(originalUrl);
// Only add if it isn‘t already present
if (!u.searchParams.has(‘campaign‘)) {
u.searchParams.set(‘campaign‘, campaignId);
}
// Force HTTPS for outbound links
u.protocol = ‘https:‘;
return u.toString();
}
console.log(addTracking(‘http://store.example.com/product/42‘, ‘spring-2026‘));
A few behaviors worth noticing:
u.searchParamsusesURLSearchParams, which handles encoding and ordering correctly.- Setting
protocolautomatically adjustshref. - Calling
toString()and readinghrefare equivalent here; both output the full URL.
For applications that sign URLs, I recommend mutating in a strict order: set protocol/host/path first, then set query params last so you don’t re-encode values after signing.
When to use URL vs legacy parsing
I still encounter url.parse() in older codebases. It’s tempting to keep using it because it returns a plain object and doesn’t throw. But it’s easier to create inconsistent URLs that way, especially around weird inputs like http:example.com or missing slashes. Here’s a direct comparison with behavior I see in maintenance work:
Traditional vs Modern
Legacy url.parse()
new URL() —
Often produces partial objects without throwing
Inconsistent
Manual concatenation or url.resolve()
new URL(relative, base) Raw string
URLSearchParams with proper encoding Older Node-specific behavior
I recommend new URL() in all new code. The only time I keep url.parse() around is if I’m matching a legacy behavior exactly for compatibility tests.
Real-world scenarios and patterns I use
Here are patterns I use in production code that you can adapt immediately.
1) Building callback URLs for OAuth and webhooks
const { URL } = require(‘url‘);
function buildCallbackUrl(baseUrl, path, query) {
const u = new URL(path, baseUrl);
for (const [key, value] of Object.entries(query)) {
u.searchParams.set(key, value);
}
return u.href;
}
const callback = buildCallbackUrl(
‘https://auth.example.com‘,
‘/oauth/callback‘,
{ provider: ‘github‘, state: ‘abc123‘ }
);
console.log(callback);
Why I like this: it guarantees the callback is absolute, and URLSearchParams prevents accidental double-encoding.
2) Safe link creation for multi-tenant apps
If you host tenant-specific subdomains, I recommend building URLs with explicit hostnames and a strict allowlist:
const { URL } = require(‘url‘);
const allowedTenants = new Set([‘alpha‘, ‘beta‘, ‘gamma‘]);
function buildTenantUrl(tenant, path) {
if (!allowedTenants.has(tenant)) {
throw new Error(‘Unknown tenant‘);
}
const base = https://${tenant}.app.example.com;
const u = new URL(path, base);
return u.href;
}
console.log(buildTenantUrl(‘alpha‘, ‘/dashboard‘));
I’ve seen open redirect bugs when devs concatenate https://${tenant}.app.example.com with user input directly. new URL() gives me a structured guardrail: I only allow the tenant name, and I control the base.
3) SSRF protection in backend fetches
If your service fetches URLs supplied by users, you must prevent requests to internal networks. I treat URL as a parsing step before I even resolve DNS.
const { URL } = require(‘url‘);
function assertSafeFetchTarget(input) {
const u = new URL(input);
if (u.protocol !== ‘https:‘ && u.protocol !== ‘http:‘) {
throw new Error(‘Unsupported protocol‘);
}
// Simple hostname gate; expand with DNS checks in production
if (u.hostname.endsWith(‘.internal‘) || u.hostname === ‘localhost‘) {
throw new Error(‘Blocked target‘);
}
return u;
}
console.log(assertSafeFetchTarget(‘https://docs.example.com/api‘));
I always parse before validation; string checks alone can be tricked with edge cases like embedded credentials or unusual schemes.
Subtle behaviors that bite developers
The URL class is predictable, but it has behaviors you should explicitly know about. Here are the ones I’ve seen trip teams the most.
Hostnames are normalized
Uppercase hostnames are normalized to lowercase. If you want to preserve the original case for display, you need to store the original input separately. For most network operations, normalization is correct and desired.
Trailing slashes matter
https://example.com/path and https://example.com/path/ are different. The URL class won’t “fix” that for you. When I’m designing API clients, I standardize paths on trailing slashes at the routing layer to avoid duplicate cache keys.
pathname always starts with a slash
If you set u.pathname = ‘users‘, it becomes /users. That’s helpful, but if you’re joining multiple path segments, do it in one place and set pathname once to avoid accidental //.
searchParams ordering
URLSearchParams preserves insertion order. If you rely on a specific query order for signatures, you must set parameters in a deterministic order. I often sort keys first when generating signed URLs.
The URL constructor can throw
If the input is malformed (e.g., https:// with no host), it throws a TypeError. Always wrap in try/catch for user-provided inputs. I treat this like JSON parsing: you never assume it will succeed.
Common mistakes and the fixes I recommend
Here are mistakes I see in code reviews and how I fix them.
- Mistake: Concatenating query strings manually
Fix: Use URLSearchParams to avoid broken encoding and duplicated ?.
- Mistake: Forgetting a base for relative URLs
Fix: Always pass a base, even if you think the input is absolute. You can guard by checking input.includes(‘://‘) and fallback to base.
- Mistake: Treating
URLoutput as safe for HTML
Fix: For rendering, still escape output to avoid XSS in templates.
- Mistake: Allowing arbitrary schemes
Fix: Explicitly allow only http: and https: unless you have a controlled use case.
- Mistake: Logging sensitive tokens in
href
Fix: If you must log, redact searchParams keys like token or signature.
These are easy changes that save hours of debugging and reduce security risks.
Performance notes I use in practice
new URL() is fast enough for most web workloads, but it’s not free. I’ve profiled services where URL parsing becomes noticeable when you handle hundreds of thousands of requests per second. In those cases, I apply two techniques:
1) Parse only when needed. If you don’t need the query string or path, don’t parse. For example, in a reverse proxy, you can pass raw strings until you need to validate.
2) Avoid re-parsing the same input. When I validate and then log, I reuse the same URL instance.
In my experience, URL parsing typically sits in the low millisecond range per request batch in Node.js, not per single URL. For high-volume services, the bigger cost is often the string creation and GC pressure. Keep parsing code tight, avoid extra copies, and you’ll be fine.
When not to use new URL()
I still choose other approaches in a few cases:
- When I’m parsing non-URL strings that only resemble URLs (custom protocol formats, proprietary database connection strings).
- When I must preserve the raw input exactly as received, including invalid forms, for audit logging or signature verification.
- When I’m operating in a strict low-level parser for performance (rare, and only with benchmark data).
Even then, I usually parse with URL at the boundary to validate, then store the raw input separately for auditing.
A deeper example: robust URL builder with validation
Here’s a practical pattern I use for APIs that accept relative paths and optional query data from other services. It validates a base URL once and then uses it for all subsequent operations.
const { URL } = require(‘url‘);
function createUrlBuilder(baseUrl) {
const base = new URL(baseUrl);
if (base.protocol !== ‘https:‘) {
throw new Error(‘Base URL must be HTTPS‘);
}
return function build(path, params = {}) {
const u = new URL(path, base);
for (const [key, value] of Object.entries(params)) {
if (value !== undefined && value !== null) {
u.searchParams.set(key, String(value));
}
}
return u.href;
};
}
const build = createUrlBuilder(‘https://api.example.com/v2/‘);
console.log(build(‘/users/42‘, { expand: ‘team‘, includeInactive: false }));
This pattern gives you a safe builder that can’t be misused: the base is validated once, the path is resolved in a single place, and parameters are encoded safely. I use it in multi-service environments where a shared library builds internal URLs across several teams.
Integrating with modern Node.js tooling in 2026
Even a basic URL parser benefits from modern workflows. Here’s how I typically wire it into current practices:
- Validation: I use schema validators (like Zod or TypeBox) to ensure inputs are strings before calling
new URL(). - AI-assisted linting: Most teams I work with in 2026 run AI review tooling that can flag unsafe concatenations of URLs or suspicious redirects. It’s not perfect, but it catches a surprising number of issues.
- Runtime configs: I keep base URLs in typed config layers so my URL builder can validate them on startup, not at runtime per request.
You don’t need AI to use URL, but AI linting and config validation remove a lot of incidental errors that are easy to miss under pressure.
Edge cases you should test
I always include a few explicit cases in tests. These aren’t theoretical; they’re patterns that have caused outages.
- Relative path with
..segments against a base with a trailing path - Query params that include spaces, plus signs, or Unicode characters
- URLs with explicit ports, including
:443and:80 - Mixed-case hostnames
- Empty hash or search (
#and?with no value)
Here’s a minimal test-style snippet that you can adapt to your test runner:
const { URL } = require(‘url‘);
const cases = [
[‘../billing‘, ‘https://api.example.com/v1/users/123/‘, ‘https://api.example.com/v1/billing‘],
[‘?q=hello world‘, ‘https://search.example.com/‘, ‘https://search.example.com/?q=hello%20world‘],
[‘#‘, ‘https://app.example.com/‘, ‘https://app.example.com/#‘],
];
for (const [input, base, expected] of cases) {
const actual = new URL(input, base).href;
if (actual !== expected) {
throw new Error(Expected ${expected} but got ${actual});
}
}
Practical guidance: how I teach teams to adopt URL
When I help a team migrate from manual parsing or legacy methods, I follow a three-step process:
1) Replace string concatenation in new code. Don’t refactor the world; stop the bleeding first.
2) Add a shared URL builder utility, so developers don’t reinvent patterns.
3) Add lint rules and tests that block http: or missing base URLs in production paths.
This approach keeps the change incremental and prevents the “big refactor that never ships.” It also gives teams a single place to improve validation logic over time.
Deep dive: how URL normalizes inputs
One of the biggest advantages of URL is normalization. That’s also where surprises show up. Here’s how I explain it in a quick mental checklist:
- Protocol normalization:
HTTPbecomeshttp:. The colon is part of the protocol inURL. - Hostname normalization:
EXAMPLE.combecomesexample.com. - Path normalization:
.and..segments are resolved when a base is provided, producing a canonical path. - Encoding normalization: spaces in query params become
%20unless you set+explicitly. - Default ports:
:80for HTTP and:443for HTTPS are preserved in the string unless you strip them.
Normalization is great for consistency, but it means you can’t rely on URL to preserve the original input. When I need exact original strings (for signature verification or audits), I store the raw input separately and parse it for decisions only.
Handling credentials safely
URL supports usernames and passwords, but I treat them as a footgun. They show up in href, which means they can leak into logs, exceptions, and analytics.
If you must accept URLs with credentials (e.g., legacy data import), I sanitize immediately:
const { URL } = require(‘url‘);
function sanitizeCredentials(input) {
const u = new URL(input);
if (u.username || u.password) {
u.username = ‘‘;
u.password = ‘‘;
}
return u.href;
}
console.log(sanitizeCredentials(‘https://user:[email protected]/private‘));
I strongly prefer token-based auth in headers or query params rather than embedded credentials. But if you must handle them, make sure your logging layer redacts username and password fields proactively.
Query strings: the URLSearchParams contract
URLSearchParams gives you a map-like API with correct encoding. The key detail: it supports multiple values per key, and it preserves insertion order. That can be a feature or a bug depending on your use case.
Example: preserving multiple values
const { URL } = require(‘url‘);
const u = new URL(‘https://example.com/search‘);
u.searchParams.append(‘tag‘, ‘node‘);
u.searchParams.append(‘tag‘, ‘url‘);
console.log(u.href);
Output:
https://example.com/search?tag=node&tag=url
If you set(‘tag‘, ‘url‘), it will replace all existing tag values. I use append when I explicitly want multi-valued params (filters, faceting, checkboxes). I use set for things that should be unique (token, page, sort).
Example: deterministic ordering for signatures
const { URL } = require(‘url‘);
function signableQuery(params) {
const keys = Object.keys(params).sort();
const u = new URL(‘https://example.com‘);
for (const key of keys) {
u.searchParams.set(key, params[key]);
}
return u.searchParams.toString();
}
console.log(signableQuery({ b: ‘2‘, a: ‘1‘ }));
This ensures query order is stable, which matters if you compute a hash or signature on the full URL string.
Building paths without subtle bugs
A surprisingly common source of URL bugs is path joining. People will mix path.join() with URLs, which can introduce backslashes on Windows or strip leading slashes.
I keep it simple: resolve against a base using new URL(path, base) and never use path.join() for URL paths.
Example: safe path resolution
const { URL } = require(‘url‘);
function safeJoin(baseUrl, path) {
return new URL(path, baseUrl).href;
}
console.log(safeJoin(‘https://example.com/api/v1/‘, ‘users/42‘));
If you need to join multiple segments, do it in one place and then feed the result into new URL():
const { URL } = require(‘url‘);
function joinSegments(...segments) {
const cleaned = segments
.filter(Boolean)
.map(s => String(s).replace(/^\/+|\/+$/g, ‘‘))
.join(‘/‘);
return /${cleaned};
}
const path = joinSegments(‘api‘, ‘v1‘, ‘users‘, 42);
const u = new URL(path, ‘https://example.com/‘);
console.log(u.href);
This avoids accidental // while keeping URL logic in one place.
Input validation patterns I trust
The simplest safe approach is: validate type first, parse second, validate components third. I never directly parse untrusted input without a try/catch because URL throws on invalid values.
Example: defensive parsing with typed validation
const { URL } = require(‘url‘);
function parseUserUrl(input) {
if (typeof input !== ‘string‘ || input.trim() === ‘‘) {
throw new Error(‘URL must be a non-empty string‘);
}
let u;
try {
u = new URL(input);
} catch {
throw new Error(‘Invalid URL‘);
}
if (u.protocol !== ‘https:‘ && u.protocol !== ‘http:‘) {
throw new Error(‘Unsupported protocol‘);
}
return u;
}
I’ll layer in schema validation (Zod/TypeBox/etc.) when the input is part of a larger payload. But even without a schema library, this small guard is enough to prevent most malformed inputs from making it deeper into the system.
Open redirects and how URL helps
Open redirects are a classic security issue. The usual bug is: accept a next parameter and redirect to it without validation. URL helps, but you still need to design a safe policy.
Policy: only allow same-origin redirects
const { URL } = require(‘url‘);
function safeRedirect(target, base) {
const baseUrl = new URL(base);
const targetUrl = new URL(target, baseUrl);
if (targetUrl.origin !== baseUrl.origin) {
throw new Error(‘Cross-origin redirect blocked‘);
}
return targetUrl.href;
}
console.log(safeRedirect(‘/dashboard‘, ‘https://app.example.com‘));
This approach accepts relative paths but rejects absolute URLs to other domains. It’s simple and secure for most apps. If you must allow a subset of domains, use an explicit allowlist and compare hostname values, not raw strings.
SSRF defenses: going beyond string checks
Parsing with URL is the first step; it’s not enough by itself. Attackers can trick simple hostname checks by using:
- Internal IPs in decimal or hex
- Mixed-case hostnames
- Embedded credentials
- DNS rebinding
A more robust strategy:
1) Parse with URL.
2) Enforce http:/https: only.
3) Resolve DNS and block private address ranges.
4) Consider allowlists for known domains.
Here’s a skeleton that shows the order, even if you fill in DNS checks later:
const { URL } = require(‘url‘);
function assertSafeHttpUrl(input) {
const u = new URL(input);
if (![‘http:‘, ‘https:‘].includes(u.protocol)) {
throw new Error(‘Unsupported protocol‘);
}
if (u.username || u.password) {
throw new Error(‘Credentials not allowed‘);
}
return u;
}
I keep SSRF guardrails near the boundary of any system that fetches external resources (webhooks, importers, preview generators, image proxies). It’s easy to get this wrong; even partial defenses are better than none.
Logging without leaking secrets
Logging URLs verbatim can leak tokens, signatures, or session IDs. I always log a redacted version for analytics and error reporting.
Example: URL-safe logging
const { URL } = require(‘url‘);
const SENSITIVE_KEYS = new Set([‘token‘, ‘signature‘, ‘auth‘, ‘key‘]);
function redactUrl(input) {
const u = new URL(input);
for (const key of u.searchParams.keys()) {
if (SENSITIVE_KEYS.has(key)) {
u.searchParams.set(key, ‘REDACTED‘);
}
}
return u.href;
}
I also avoid logging hash fragments, because those are often used in OAuth flows and can contain tokens.
Debugging tips: how I inspect URL objects
When I troubleshoot a URL bug, I log the full component set. Seeing protocol, hostname, pathname, and search separately can reveal mismatches that are invisible in href.
const { URL } = require(‘url‘);
function debugUrl(input, base) {
const u = base ? new URL(input, base) : new URL(input);
console.log({
href: u.href,
origin: u.origin,
protocol: u.protocol,
hostname: u.hostname,
port: u.port,
pathname: u.pathname,
search: u.search,
hash: u.hash
});
}
I often discover issues like:
- I accidentally used
hostnameinstead ofhostwhen I needed the port. - The path I thought was
/v1/usersis actually/v1/users/and hitting a different route. - The query string got normalized and the downstream signature check expects a different order.
Working with IPv6 URLs
IPv6 hostnames are wrapped in brackets. URL handles this, but it looks odd if you haven’t seen it.
const { URL } = require(‘url‘);
const u = new URL(‘http://[2001:db8::1]:8080/metrics‘);
console.log(u.hostname); // 2001:db8::1
console.log(u.host); // [2001:db8::1]:8080
If you’re building URLs from IPs, prefer using hostname and port separately. Avoid hand-concatenating brackets.
Internationalized domains and Unicode
URL supports internationalized domain names (IDN) by converting them to punycode under the hood. This is helpful but also means you may see a different hostname than the user typed.
I treat this as a security consideration: visually similar domains (homoglyphs) can trick users. If you display URLs back to users, consider showing the original input or a safe display form rather than the punycoded version.
Streaming systems and URL parsing
In large-scale systems, URL parsing is often done at the edge: API gateways, log processors, or analytics pipelines. In those cases, I prefer a two-stage approach:
1) Parse and validate once at the boundary.
2) Store canonical components (protocol, host, path, query) as separate fields in logs or events.
This makes analytics far easier. Instead of regex over raw URL strings, you can filter by host or group by pathname. The URL class is a convenient way to enforce that canonicalization.
More practical scenarios you can reuse
These are patterns I’ve pulled into services repeatedly.
4) Signed download URLs
When signing URLs, I keep strict control over ordering and encoding.
const { URL } = require(‘url‘);
const crypto = require(‘crypto‘);
function signUrl(baseUrl, path, params, secret) {
const u = new URL(path, baseUrl);
const keys = Object.keys(params).sort();
for (const key of keys) {
u.searchParams.set(key, params[key]);
}
const toSign = u.pathname + ‘?‘ + u.searchParams.toString();
const sig = crypto.createHmac(‘sha256‘, secret).update(toSign).digest(‘hex‘);
u.searchParams.set(‘signature‘, sig);
return u.href;
}
Notice the order: set params, compute signature, then add the signature param last. If you add it earlier, you might accidentally sign a different string.
5) Canonical URLs for SEO
If you’re generating canonical links, I normalize protocol, hostname, and paths to avoid duplicates.
const { URL } = require(‘url‘);
function canonicalize(input) {
const u = new URL(input);
u.protocol = ‘https:‘;
u.hostname = u.hostname.toLowerCase();
// Remove trailing slash for non-root paths
if (u.pathname !== ‘/‘ && u.pathname.endsWith(‘/‘)) {
u.pathname = u.pathname.slice(0, -1);
}
return u.href;
}
This keeps your canonical URL consistent even if the input is messy.
6) Analytics-friendly URLs (stripping noise)
Marketing links often include extra params that you may want to remove before caching or analytics.
const { URL } = require(‘url‘);
const TRACKINGKEYS = new Set([‘utmsource‘, ‘utmmedium‘, ‘utmcampaign‘]);
function stripTracking(input) {
const u = new URL(input);
for (const key of TRACKING_KEYS) {
u.searchParams.delete(key);
}
return u.href;
}
This is especially useful for cache keys: you don’t want ten versions of the same resource just because utm_campaign changes.
Alternative approaches and tradeoffs
URL is not the only tool, and it’s healthy to know the alternatives:
- Legacy
url.parse(): compatible with old code, returns a plain object, but has inconsistent parsing rules. Use only for backward-compatibility. - Third-party libraries: some libraries add features like query parsing with schemas or validation. I use them when I need advanced behavior (e.g., strict RFC compliance or custom protocols).
- Manual parsing: sometimes necessary for non-URL formats, but fragile for anything user-facing. I avoid it in new code.
My rule: start with URL, then layer in libraries only when you have a clear gap you need to fill. Most of the time, URL does the job cleanly and predictably.
Testing strategy that scales
Beyond the small edge cases, I add a few “regression style” tests based on prior incidents. Examples I actually keep around:
- URLs with repeated params (
?a=1&a=2) - URLs with trailing dots in the hostname
- Pathnames that include encoded slashes (
%2F) - Relative URLs that start with
//(scheme-relative)
Here’s an example for scheme-relative URLs:
const { URL } = require(‘url‘);
const u = new URL(‘//cdn.example.com/assets‘, ‘https://app.example.com‘);
console.log(u.href); // https://cdn.example.com/assets
This behavior is correct but surprising if you expect // to be treated as a normal path. I treat it as an external redirect and validate the host accordingly.
Monitoring and observability around URLs
In production, the best way to catch URL problems early is to instrument failures and track patterns. I usually add metrics on:
- Parse failures (
TypeErrorcount) - Rejected protocols
- Rejected hosts (open redirect and SSRF guards)
- High cardinality query params (token leakage)
I’ll also add a small sample of redacted URLs to logs when failures happen. This makes it obvious whether the bug is coming from a malformed base, a bad path, or a surprising query format.
A production-ready URL builder utility
Here’s a more complete helper that wraps validation, allows optional path input, and supports strict allowlists for hosts. It’s the kind of module I put in shared libraries so teams don’t reinvent it.
const { URL } = require(‘url‘);
function createStrictUrlBuilder(options) {
const {
baseUrl,
allowedHosts = [],
forceHttps = true,
defaultPath = ‘/‘
} = options;
const base = new URL(baseUrl);
if (forceHttps && base.protocol !== ‘https:‘) {
throw new Error(‘Base URL must be HTTPS‘);
}
if (allowedHosts.length > 0 && !allowedHosts.includes(base.hostname)) {
throw new Error(‘Base host not in allowlist‘);
}
return function build(path = defaultPath, params = {}) {
const u = new URL(path, base);
if (forceHttps) u.protocol = ‘https:‘;
for (const [key, value] of Object.entries(params)) {
if (value !== undefined && value !== null) {
u.searchParams.set(key, String(value));
}
}
return u.href;
};
}
This gives you one function to configure and many safe URLs to generate. It’s particularly useful in microservices where multiple teams build URLs against the same host and path patterns.
The migration plan I recommend
If you’re modernizing a service with a mix of legacy parsing and string concatenation, I follow this sequence:
1) Add a shared helper that wraps new URL() and becomes the default for new code.
2) Replace URL string concatenations in critical code paths (auth, payments, webhooks).
3) Replace legacy parsing in non-critical paths gradually, adding tests for edge cases.
4) Add lint rules that discourage raw string concatenation for URLs.
This avoids a giant refactor while still moving the codebase toward a consistent, safer approach.
Key takeaways and next steps
If you want fewer broken links, fewer redirect bugs, and fewer “why is this 404ing in prod” incidents, treat new URL() as your default tool. It enforces a standard, throws on invalid inputs, and gives you readable, mutable components instead of brittle string logic. The difference in code quality is immediate, and the payoff is huge when you scale traffic or integrate with third-party systems.
If you apply just a few practices—always pass a base, validate protocols, use URLSearchParams, and redact sensitive query params—you’ll eliminate a big chunk of the URL-related bugs that chew up your on-call time. That’s the core value of the URL class: not just correctness, but peace of mind under pressure.
