cURL Auth, TLS, and Proxy Security

cURL•Permalink

Authentication, cookies, TLS verification, client certs, pinned keys, and proxy-secured curl workflows.

View

Standard Detailed Compact

Export

Copy the compact sheet, download it, or print it.

Download

`D` dense toggle · `C` copy all

Credentials and Sessions

Basic auth, netrc, bearer tokens, cookies, and session persistence.

Use credentials from .netrc

Load login credentials from a `.netrc` file.

bashANYcurlnetrcauth

↗#

bash

curl --netrc https://example.com/protected

Notes

Useful for automation when credentials should not appear directly in shell history.

Use a custom netrc file

Read machine credentials from a specific netrc file.

bashANYcurlnetrcauth

↗#

bash

curl --netrc-file ./my.netrc https://example.com/protected

Notes

Lets you isolate credentials per environment.

HTTP Digest auth

Authenticate with Digest auth if the server supports it.

bashANYcurlauthdigest

↗#

bash

curl --digest -u 'user:password' https://example.com/protected

Notes

Some older systems still use Digest auth.

SPNEGO / Negotiate auth

Use Negotiate auth with credentials from the environment or Kerberos setup.

bashANYcurlauthnegotiate

↗#

bash

curl --negotiate -u : https://example.com/protected

Notes

Often used in enterprise SSO environments.

Auto-negotiate auth method

Let curl probe and select an auth scheme.

bashANYcurlauthhttp

↗#

bash

curl --anyauth -u 'user:password' https://example.com/protected

Notes

Convenient when you do not know the server's auth scheme ahead of time.

Follow redirects and send auth

Follow redirects and keep auth across hosts only when you explicitly trust it.

bashANYcurlredirectsauth

↗#

bash

curl -L --location-trusted -u 'user:password' https://example.com/start

Notes

Be careful: this can forward credentials after redirects.

TLS and Certificates

TLS versions, CA stores, pinned keys, and client certificates.

Require TLS 1.2

Require TLS 1.2 or newer for the connection.

bashANYcurltlssecurity

↗#

bash

curl --tlsv1.2 https://example.com

Notes

Useful when testing compatibility or enforcing modern TLS.

Set maximum TLS version

Cap the TLS protocol version used by curl.

bashANYcurltlssecurity

↗#

bash

curl --tls-max 1.3 https://example.com

Notes

Helpful for compatibility testing.

Use a CA certificate directory

Use a directory of CA certificates instead of a single bundle file.

bashANYcurltlsca

↗#

bash

curl --capath /etc/ssl/certs https://example.com

Notes

Some systems prefer hashed CA certificate directories.

Use a PKCS#12 client certificate

Authenticate with a P12 / PFX certificate bundle.

bashANYcurltlsmtlscert

↗#

bash

curl --cert client.p12:mypassword --cert-type P12 https://mtls.example.com

Notes

Common in enterprise and legacy integrations.

Pin a public key

Verify the server public key against a pinned key.

bashANYcurltlspinning

↗#

bash

curl --pinnedpubkey sha256//BASE64HASH https://example.com

Notes

Pinning is useful for high-trust integrations and internal systems.

Use a certificate revocation list

Check server certs against a CRL file.

bashANYcurltlscrl

↗#

bash

curl --crlfile revoked.pem https://example.com

Notes

Relevant in stricter PKI environments.

Request certificate status checks

Require certificate status validation via TLS stapling when supported.

bashANYcurltlsocsp

↗#

bash

curl --cert-status https://example.com

Notes

Useful when validating OCSP-stapled environments.

Skip TLS verification for HTTPS proxy

Disable certificate verification for the HTTPS proxy connection.

bashANYcurlproxytls

↗#

bash

curl --proxy-insecure -x https://proxy.example.com:8443 https://example.com

Notes

Proxy TLS and origin TLS are separate validation layers.

Proxy Auth and Tunnels

Proxy auth, HTTPS proxies, proxy certificates, and CONNECT tunnels.

Proxy with basic auth

Authenticate to a proxy with username and password.

bashANYcurlproxyauth

↗#

bash

curl -x http://proxy.example.com:8080 -U 'user:password' https://example.com

Notes

Use `-U` / `--proxy-user` for proxy credentials.

Use an HTTPS proxy

Route traffic through an HTTPS proxy.

bashANYcurlproxyhttps

↗#

bash

curl -x https://proxy.example.com:8443 https://example.com

Notes

An HTTPS proxy encrypts the hop to the proxy itself.

Trust a custom CA for proxy TLS

Use a custom CA certificate file for the HTTPS proxy.

bashANYcurlproxytls

↗#

bash

curl --proxy-cacert proxy-ca.pem -x https://proxy.example.com:8443 https://example.com

Notes

Origin CA settings and proxy CA settings are independent.

Client cert for proxy authentication

Send a client certificate when the proxy requires mTLS.

bashANYcurlproxymtls

↗#

bash

curl --proxy-cert proxy-client.crt --proxy-key proxy-client.key -x https://proxy.example.com:8443 https://example.com

Notes

Useful in locked-down corporate environments.

Tunnel through an HTTP proxy

Use CONNECT tunneling for non-HTTP protocols when needed.

bashANYcurlproxytunnel

↗#

bash

curl --proxytunnel -x http://proxy.example.com:8080 ftp://example.com/file.txt

Notes

CONNECT tunnels are not limited to HTTPS workflows.

More in cURL

cURL Debugging, Performance, and Scripting

Tracing, DNS overrides, proxies, protocol selection, config files, timeouts, and script-friendly curl patterns.

cURL Download and Upload Workflows

Comprehensive curl patterns for downloads, retries, upload flows, range requests, SMTP, SFTP, and batch transfers.

cURL HTTP and API Workflows

HTTP methods, auth, JSON APIs, headers, caching, compression, and response inspection with curl.

cURL Cheat Sheet

High-coverage curl commands for HTTP requests, APIs, downloads, uploads, cookies, redirects, and automation.

Recommended next

No recommendations yet.

Browse all sheets →