cURL Auth, TLS, and Proxy Security

cURL•Permalink

Authentication, cookies, TLS verification, client certs, pinned keys, and proxy-secured curl workflows.

View

Standard Detailed Compact

Export

Copy the compact sheet, download it, or print it.

Download

`D` dense toggle · `C` copy all

Credentials and Sessions

Basic auth, netrc, bearer tokens, cookies, and session persistence.

Use credentials from .netrc

Load login credentials from a `.netrc` file.

↗#

bashANYcurlnetrcauth

bash

curl --netrc https://example.com/protected

Useful for automation when credentials should not appear directly in shell history.

Use a custom netrc file

Read machine credentials from a specific netrc file.

↗#

bashANYcurlnetrcauth

bash

curl --netrc-file ./my.netrc https://example.com/protected

Lets you isolate credentials per environment.

HTTP Digest auth

Authenticate with Digest auth if the server supports it.

↗#

bashANYcurlauthdigest

bash

curl --digest -u 'user:password' https://example.com/protected

Some older systems still use Digest auth.

SPNEGO / Negotiate auth

Use Negotiate auth with credentials from the environment or Kerberos setup.

↗#

bashANYcurlauthnegotiate

bash

curl --negotiate -u : https://example.com/protected

Often used in enterprise SSO environments.

Auto-negotiate auth method

Let curl probe and select an auth scheme.

↗#

bashANYcurlauthhttp

bash

curl --anyauth -u 'user:password' https://example.com/protected

Convenient when you do not know the server's auth scheme ahead of time.

Follow redirects and send auth

Follow redirects and keep auth across hosts only when you explicitly trust it.

↗#

bashANYcurlredirectsauth

bash

curl -L --location-trusted -u 'user:password' https://example.com/start

Be careful: this can forward credentials after redirects.

TLS and Certificates

TLS versions, CA stores, pinned keys, and client certificates.

Require TLS 1.2

Require TLS 1.2 or newer for the connection.

↗#

bashANYcurltlssecurity

bash

curl --tlsv1.2 https://example.com

Useful when testing compatibility or enforcing modern TLS.

Set maximum TLS version

Cap the TLS protocol version used by curl.

↗#

bashANYcurltlssecurity

bash

curl --tls-max 1.3 https://example.com

Helpful for compatibility testing.

Use a CA certificate directory

Use a directory of CA certificates instead of a single bundle file.

↗#

bashANYcurltlsca

bash

curl --capath /etc/ssl/certs https://example.com

Some systems prefer hashed CA certificate directories.

Use a PKCS#12 client certificate

Authenticate with a P12 / PFX certificate bundle.

↗#

bashANYcurltlsmtlscert

bash

curl --cert client.p12:mypassword --cert-type P12 https://mtls.example.com

Common in enterprise and legacy integrations.

Pin a public key

Verify the server public key against a pinned key.

↗#

bashANYcurltlspinning

bash

curl --pinnedpubkey sha256//BASE64HASH https://example.com

Pinning is useful for high-trust integrations and internal systems.

Use a certificate revocation list

Check server certs against a CRL file.

↗#

bashANYcurltlscrl

bash

curl --crlfile revoked.pem https://example.com

Relevant in stricter PKI environments.

Request certificate status checks

Require certificate status validation via TLS stapling when supported.

↗#

bashANYcurltlsocsp

bash

curl --cert-status https://example.com

Useful when validating OCSP-stapled environments.

Skip TLS verification for HTTPS proxy

Disable certificate verification for the HTTPS proxy connection.

↗#

bashANYcurlproxytls

bash

curl --proxy-insecure -x https://proxy.example.com:8443 https://example.com

Proxy TLS and origin TLS are separate validation layers.

Proxy Auth and Tunnels

Proxy auth, HTTPS proxies, proxy certificates, and CONNECT tunnels.

Proxy with basic auth

Authenticate to a proxy with username and password.

↗#

bashANYcurlproxyauth

bash

curl -x http://proxy.example.com:8080 -U 'user:password' https://example.com

Use `-U` / `--proxy-user` for proxy credentials.

Use an HTTPS proxy

Route traffic through an HTTPS proxy.

↗#

bashANYcurlproxyhttps

bash

curl -x https://proxy.example.com:8443 https://example.com

An HTTPS proxy encrypts the hop to the proxy itself.

Trust a custom CA for proxy TLS

Use a custom CA certificate file for the HTTPS proxy.

↗#

bashANYcurlproxytls

bash

curl --proxy-cacert proxy-ca.pem -x https://proxy.example.com:8443 https://example.com

Origin CA settings and proxy CA settings are independent.

Client cert for proxy authentication

Send a client certificate when the proxy requires mTLS.

↗#

bashANYcurlproxymtls

bash

curl --proxy-cert proxy-client.crt --proxy-key proxy-client.key -x https://proxy.example.com:8443 https://example.com

Useful in locked-down corporate environments.

Tunnel through an HTTP proxy

Use CONNECT tunneling for non-HTTP protocols when needed.

↗#

bashANYcurlproxytunnel

bash

curl --proxytunnel -x http://proxy.example.com:8080 ftp://example.com/file.txt

CONNECT tunnels are not limited to HTTPS workflows.

More in cURL

cURL Debugging, Performance, and Scripting

Tracing, DNS overrides, proxies, protocol selection, config files, timeouts, and script-friendly curl patterns.

cURL Download and Upload Workflows

Comprehensive curl patterns for downloads, retries, upload flows, range requests, SMTP, SFTP, and batch transfers.

cURL HTTP and API Workflows

HTTP methods, auth, JSON APIs, headers, caching, compression, and response inspection with curl.

cURL Cheat Sheet

High-coverage curl commands for HTTP requests, APIs, downloads, uploads, cookies, redirects, and automation.

Recommended next

No recommendations yet.

Browse all sheets →