curl — HTTP Client
What It Does
Section titled “What It Does”curl transfers data to or from a server using URLs. It answers: what does the server respond with, what are the response headers, how long does each phase of the connection take, and is the SSL certificate valid?
Running the Examples Script
Section titled “Running the Examples Script”# Requires a target argument (URL)bash scripts/curl/examples.sh <target>
# Or via Makefilemake curl TARGET=<target>
# Examples with lab targetsbash scripts/curl/examples.sh https://example.combash scripts/curl/examples.sh http://localhost:8080The script prints 10 example commands with explanations, then offers to fetch response headers interactively.
Key Flags to Remember
Section titled “Key Flags to Remember”| Flag | What It Does |
|---|---|
-I | Fetch response headers only (HEAD request) |
-i | Include response headers with the body |
-v | Verbose output — full request and response details |
-L | Follow redirects automatically |
-X POST | Send a POST request (or PUT, DELETE, PATCH, etc.) |
-d 'data' | Send data in the request body |
-H 'Header: value' | Send a custom header |
-o output.html | Download response to a file |
-s | Silent mode — no progress bar or error messages |
-k | Ignore SSL certificate errors (testing only) |
-w 'format' | Write out connection timing and metadata after transfer |
Install
Section titled “Install”Pre-installed on macOS. No additional installation needed.
sudo apt install curlsudo dnf install curlUse-Case Scripts
Section titled “Use-Case Scripts”test-http-endpoints.sh — Test HTTP endpoints with different methods
Section titled “test-http-endpoints.sh — Test HTTP endpoints with different methods”Demonstrates HTTP method testing with curl. Shows how to send GET, POST, PUT, DELETE, PATCH, HEAD, and OPTIONS requests to inspect API behavior and status codes.
When to use: When testing web application endpoints for allowed methods, CORS configuration, or API behavior.
Key commands:
# GET request -- check status codecurl -s -o /dev/null -w 'HTTP %{http_code}\n' https://example.com
# POST with JSON bodycurl -X POST -H 'Content-Type: application/json' -d '{"key":"value"}' https://example.com
# OPTIONS request -- discover allowed methods and CORScurl -X OPTIONS -i -s https://example.com
# HEAD request -- headers only, no bodycurl -I -s https://example.com
# Follow redirects and show the redirect chaincurl -L -v -s -o /dev/null https://example.com 2>&1 | grep -E '< HTTP/|< location:'Make target: make test-http TARGET=<url>
check-ssl-certificate.sh — Check SSL/TLS certificate details
Section titled “check-ssl-certificate.sh — Check SSL/TLS certificate details”Inspects SSL/TLS certificates using curl. Shows how to check certificate validity, expiry dates, TLS version support, certificate chain of trust, and HSTS headers.
When to use: When verifying SSL certificate configuration, checking for expiring certificates, or testing TLS version support.
Key commands:
# View SSL certificate detailscurl -vI https://example.com 2>&1 | grep -E 'subject:|issuer:|expire|SSL'
# Test TLS 1.2 supportcurl --tlsv1.2 --tls-max 1.2 -sI https://example.com -o /dev/null -w 'TLS 1.2: HTTP %{http_code}\n'
# Test TLS 1.3 supportcurl --tlsv1.3 -sI https://example.com -o /dev/null -w 'TLS 1.3: HTTP %{http_code}\n'
# Check HSTS headercurl -sI https://example.com | grep -i strict-transport-security
# Compare with vs without certificate verificationcurl -sI https://example.com -o /dev/null -w 'With verify: HTTP %{http_code}\n'curl -sI -k https://example.com -o /dev/null -w 'Skip verify: HTTP %{http_code}\n'Make target: make check-ssl TARGET=<domain>
debug-http-response.sh — Debug HTTP response timing and details
Section titled “debug-http-response.sh — Debug HTTP response timing and details”Diagnoses HTTP response behavior using curl’s timing and debug features. Measures DNS lookup, TCP connect, TLS handshake, and time-to-first-byte to pinpoint latency sources.
When to use: When diagnosing slow web requests or identifying which phase of the connection is causing delays.
Key commands:
# Full HTTP timing breakdowncurl -o /dev/null -s -w 'DNS Lookup: %{time_namelookup}s\nTCP Connect: %{time_connect}s\nTLS Handshake: %{time_appconnect}s\nFirst Byte: %{time_starttransfer}s\nTotal: %{time_total}s\n' https://example.com
# Measure time-to-first-byte (TTFB)curl -o /dev/null -s -w 'TTFB: %{time_starttransfer}s\n' https://example.com
# Show response size in bytescurl -o /dev/null -s -w 'Download size: %{size_download} bytes\nHeader size: %{size_header} bytes\n' https://example.com
# Compare HTTP/1.1 vs HTTP/2 responsecurl --http1.1 -o /dev/null -s -w 'HTTP/1.1 total: %{time_total}s\n' https://example.comcurl --http2 -o /dev/null -s -w 'HTTP/2 total: %{time_total}s\n' https://example.com
# Save full debug trace to file for analysiscurl --trace curl-trace.log --trace-time https://example.com -o /dev/nullMake target: make debug-http TARGET=<url>
Practice Against Lab Targets
Section titled “Practice Against Lab Targets”make lab-up
# Test lab endpointscurl -I http://localhost:8080 # DVWAcurl -I http://localhost:3030 # Juice Shopcurl -I http://localhost:8888/WebGoat # WebGoat
# Timing breakdown against local targetcurl -o /dev/null -s -w 'DNS: %{time_namelookup}s\nConnect: %{time_connect}s\nTotal: %{time_total}s\n' http://localhost:8080- macOS ships with curl pre-installed — no additional installation needed
- Use
-s(silent) when scripting to suppress the progress bar - The
-w(write-out) format string is extremely powerful for performance debugging — seeman curlfor all available variables - Use
-konly for testing against self-signed certificates, never in production - curl’s verbose output (
-v) goes to stderr, so pipe with2>&1to capture it