QR Code Structure
A QR code is not a random grid of squares. It has a defined structure that every scanner knows how to interpret.
The key structural elements:
- Finder patterns: the three square corners (top-left, top-right, bottom-left). These let the scanner locate and orient the code regardless of rotation.
- Timing patterns: alternating black and white lines connecting the finder patterns. They establish the module grid.
- Alignment patterns: smaller square patterns in larger QR codes (version 2 and above). They help the scanner correct for image distortion.
- Format information: strips adjacent to the finder patterns that encode the error correction level and mask pattern used.
- Data and error correction modules: the remaining area, which encodes the actual content plus Reed-Solomon redundancy.
The data area is encoded in one of several modes: numeric (most compact for digit-only data), alphanumeric (uppercase letters, digits, and a small set of symbols), byte (arbitrary bytes, used for URLs with lowercase letters), or kanji (for Japanese characters). URLs use byte mode because they contain lowercase letters.
Error Correction Levels
Reed-Solomon error correction adds redundant data that allows reconstruction of the original message even when some modules are unreadable.
| Level | Recovery capacity | Best for |
|---|---|---|
| L | Up to 7% | Screens, clean print, high contrast |
| M | Up to 15% | Standard print, slight wear expected |
| Q | Up to 25% | Curved surfaces, outdoor, fabric |
| H | Up to 30% | Heavy wear, logo overlays, poor print quality |
Higher error correction means larger, denser QR codes for the same data. A 30-character URL at level L produces a much smaller, simpler code than the same URL at level H. For screen display (phone screens, monitors, digital signs) where the image is always sharp, L or M is fine. For anything printed at small sizes or likely to be physically degraded, use H.
URL QR Code Best Practices
Keep URLs Short
Every additional character increases the QR code’s complexity. A longer URL means more modules, a denser pattern, and a harder scan. Options for shortening:
- Use a short domain if you control one (
devbento.devvsdevbento-tools.example.com) - Remove tracking parameters from the QR code URL if possible; add them server-side via redirect
- Use a URL shortener for very long URLs (but see the security note below)
Use HTTPS
A QR code pointing to an HTTP URL will trigger browser security warnings on modern phones. Always use https://. If your site does not have TLS, fix that before generating QR codes.
Test Before Printing
Print a sample at the intended final size and scan it with multiple devices, including an older Android phone and a dedicated barcode scanner if your use case requires it. A QR code that scans perfectly on a high-end phone camera may fail on older hardware.
Print Size Guidelines
The minimum printable size for a QR code depends on the number of modules and the printing quality. A practical guideline:
- Each module should be at least 0.25mm when printed
- A Version 3 QR code (29x29 modules) at 0.25mm per module = 7.25mm square (about the size of a postage stamp)
- Add a quiet zone of at least 4 module widths on all sides; this white border is required for scanning
For standard use (posters, business cards, packaging), a QR code printed at 2.5cm × 2.5cm or larger scans reliably at a distance of up to 25cm with a typical phone camera. The distance-to-size ratio is roughly 10:1, meaning a 2.5cm code scans from 25cm, a 5cm code from 50cm, etc.
Security Considerations
QR phishing (quishing) exploits the fact that people cannot visually inspect a QR code. Common attacks include:
- Stickers with malicious QR codes placed over legitimate ones in public spaces
- QR codes in phishing emails that bypass URL-based email filters
- QR codes linking to pages that mimic legitimate sites (login pages, payment pages)
If you distribute QR codes, make it easy for users to verify the destination. Include the full URL in text near the QR code when space allows. For critical workflows (payments, account access), avoid QR codes entirely or use a trusted app that validates the destination before opening.
URL shorteners in QR codes hide the destination domain, which reduces user trust and makes phishing harder to spot. Prefer full canonical URLs in QR codes for any security-sensitive context.