Curl Cheat Sheet

April 24, 2026 · 4 min read

Security Engineer

A quick reference for curl,a command-line tool for transferring data with URLs. Supports HTTP, HTTPS, FTP, SFTP, and more.

Anatomy of a curl command

curl [options] [URL]
 │
 ├── -X METHOD       HTTP method (GET, POST, PUT, PATCH, DELETE)
 ├── -H "K: V"       Request header
 ├── -d "data"       Request body
 ├── -o file         Save output to file
 ├── -O              Save with remote filename
 ├── -u user:pass    Basic auth
 ├── -b "k=v"        Send cookie
 ├── -c file         Save cookies to file
 ├── -L              Follow redirects
 ├── -I              HEAD request (headers only)
 ├── -s              Silent (no progress bar)
 ├── -v              Verbose (show request + response headers)
 ├── -k              Skip TLS certificate verification
 └── --max-time N    Timeout after N seconds

HTTP Requests

# GET
curl https://example.com/api/users

# POST with JSON body
curl -X POST https://example.com/api/users \
  -H "Content-Type: application/json" \
  -d '{"name":"joie","role":"admin"}'

# POST form data
curl -X POST https://example.com/login \
  -d "username=joie&password=secret"

# PUT
curl -X PUT https://example.com/api/users/1 \
  -H "Content-Type: application/json" \
  -d '{"name":"joie updated"}'

# PATCH
curl -X PATCH https://example.com/api/users/1 \
  -H "Content-Type: application/json" \
  -d '{"role":"user"}'

# DELETE
curl -X DELETE https://example.com/api/users/1

Headers & Auth

# Custom header
curl -H "Authorization: Bearer TOKEN" https://example.com/api

# Multiple headers
curl -H "Accept: application/json" \
     -H "X-Request-ID: abc123" \
     https://example.com/api

# Basic auth
curl -u username:password https://example.com/protected

# API key in header
curl -H "X-API-Key: mykey123" https://example.com/api

File Upload / Download

# Download a file (save with remote name)
curl -O https://example.com/file.tar.gz

# Download and rename
curl -o myfile.tar.gz https://example.com/file.tar.gz

# Resume interrupted download
curl -C - -O https://example.com/largefile.tar.gz

# Upload a file (multipart form)
curl -X POST https://example.com/upload \
  -F "file=@/path/to/file.txt"

# Upload raw binary
curl -X PUT https://example.com/upload \
  --data-binary @/path/to/image.png

TLS / Certificates

# Skip certificate verification (insecure)
curl -k https://self-signed.example.com

# Specify CA cert
curl --cacert /path/to/ca.crt https://example.com

# Client certificate + key
curl --cert client.crt --key client.key https://example.com

# Show certificate info only
curl -v --head https://example.com 2>&1 | grep -A5 "certificate"

Cookies

# Send a cookie
curl -b "session=abc123" https://example.com

# Save cookies from response
curl -c cookies.txt https://example.com/login \
  -d "username=joie&password=secret"

# Replay saved cookies
curl -b cookies.txt https://example.com/dashboard

Debugging & Inspection

# Show response headers only (HEAD)
curl -I https://example.com

# Show request + response headers
curl -v https://example.com

# Show only status code
curl -o /dev/null -s -w "%{http_code}" https://example.com

# Show timing breakdown
curl -o /dev/null -s -w \
  "dns:%{time_namelookup}s  connect:%{time_connect}s  ttfb:%{time_starttransfer}s  total:%{time_total}s\n" \
  https://example.com

# Trace all data (very verbose)
curl --trace - https://example.com

Proxy

# Route through HTTP proxy
curl -x http://proxy.example.com:8080 https://target.com

# Proxy with auth
curl -x http://proxy.example.com:8080 \
  -U proxyuser:proxypass \
  https://target.com

# SOCKS5 proxy (e.g. Tor)
curl --socks5 127.0.0.1:9050 https://check.torproject.org

Useful Combinations

# Pretty-print JSON response
curl -s https://api.example.com/data | python3 -m json.tool

# Follow redirects + show final URL
curl -Ls -o /dev/null -w "%{url_effective}" https://t.co/shortlink

# Rate-limit download speed
curl --limit-rate 500k -O https://example.com/bigfile.zip

# Retry on failure
curl --retry 3 --retry-delay 2 https://example.com/api

# Send request with timeout
curl --max-time 10 https://example.com/api

Quick Reference Card

Flag	Meaning
`-X METHOD`	Set HTTP method
`-H "K: V"`	Add request header
`-d "data"`	Send request body
`-F "k=@file"`	Multipart file upload
`-o file`	Save output to named file
`-O`	Save with server filename
`-C -`	Resume download
`-L`	Follow redirects
`-I`	HEAD (headers only)
`-v`	Verbose output
`-s`	Silent mode
`-k`	Ignore TLS errors
`-u user:pass`	Basic authentication
`-b "k=v"`	Send cookie
`-c file`	Save cookies
`-x proxy`	Use proxy
`--retry N`	Retry on failure
`--max-time N`	Global timeout (seconds)
`--limit-rate N`	Cap transfer speed

Anatomy of a curl command​

HTTP Requests​

Headers & Auth​

File Upload / Download​

TLS / Certificates​

Cookies​

Debugging & Inspection​

Proxy​

Useful Combinations​

Quick Reference Card​

Anatomy of a curl command

HTTP Requests

Headers & Auth

File Upload / Download

TLS / Certificates

Cookies

Debugging & Inspection

Proxy

Useful Combinations

Quick Reference Card