May the source be with you, but remember the KISS principle ;-)

Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Scripting HTTP Requests with Curl

News See also Books Recommended Links Curl config file


libcurl wget Admin Horror Stories Unix History Humor


Curl is a command line tool the main value of which is that it permit scripting HTTP requests, especially emulating browser for submission of forms. It also can be used for pages retrieval competing in this are with wget. If can be used from Perl using libcurl wrapper. See WWWCurl - Perl extension interface for libcurl (also at libcurl - the Perl Binding)

Use curl --help or curl --manual to get basic information about it.

Curl makes the requests, it gets the data, it sends data and it retrieves the information. You probably need to glue everything together using some kind of script language or repeated manual invokes.

Using curl's option -v will display what kind of commands curl sends to the server, as well as a few other informational texts. -v is the single most useful option when it comes to debug or even understand the curl-server interaction.

Using curl's option -v will display what kind of commands curl sends to the server, as well as a few other informational texts.

-v is the single most useful option when it comes to debug or even understand the curl-server interaction.

The simplest and most common request/operation made using HTTP is to get a URL. The URL could itself refer to a web page, an image or a file. The client issues a GET request to the server and receives the document it asked for. If you issue the command line


you get a web page returned in your terminal window. The entire HTML document that that URL holds.

All HTTP replies contain a set of headers that are normally hidden, use curl's -i option to display them as well as the rest of the document. You can also ask the remote server for ONLY the headers by using the -I option (which will make curl issue a HEAD request).

Curl config file

Curl automatically tries to read the .curlrc file (or _curlrc file on win32 systems) from the user's home dir on startup.

Suse automatically generate this file for root account based on proxy settings specified.

The config file could be made up with normal command line switches. You can also specify the long options without the dashes to make it more readable.

You can separate the options and the parameter with spaces, or with = or :

Comments can be used within the file. If the first letter on a line is a '#'-letter the rest of the line is treated as a comment.

If you want the parameter to contain spaces, you must enclose the entire parameter within double quotes ("). Within those quotes, you specify a quote as \".

NOTE: You must specify options and the option's arguments on the same line.

Example, set default time out and proxy in a config file:

#We  want a 30 minute timeout:
        -m 1800
#. .. and we use a proxy for all accesses:
        proxy =

White spaces ARE significant at the end of lines, but all white spaces leading up to the first characters of each line are ignored.

Prevent curl from reading the default file by using -q as the first command line parameter, like:

curl -q 

Force curl to get and display a local help page in case it is invoked without URL by making a config file similar to:

#default  url to get
url = ""

You can specify another config file to be read by using the -K/--config flag. If you set config file name to "-" it'll read the config from stdin, which can be handy if you want to hide options from being visible in process tables etc:

echo "user = user:passwd" | curl -K -
To get header use -I : when used, CURL prints only the server response’s HTTP headers, instead of the page data.
 curl -I ... 
Also useful is -L : if the initial web server response indicates that the requested page has moved to a new location (redirect), CURL’s default behavior is not to request the page at that new location, but just print the HTTP error message. This switch instructs CURL to make another request asking for the page at the new location whenever the web server returns a 3xx HTTP code.


Authentication is the ability to tell the server your username and password so that it can verify that you're allowed to do the request you're doing. The Basic authentication used in HTTP (which is the type curl uses by default) is *plain* *text* based, which means it sends username and password only slightly obfuscated, but still fully readable by anyone that sniffs on the network between you and the remote server.

To tell curl to use a user and password for authentication:

curl -u name:password 

The site might require a different authentication method (check the headers returned by the server), and then --ntlm, --digest, --negotiate or even --anyauth might be options that suit you. Sometimes your HTTP access is only available through the use of a HTTP proxy. This seems to be especially common at various companies. A HTTP proxy may require its own user and password to allow the client to get through to the Internet. To specify those with curl, run something like:

curl -U proxyuser:proxypassword 

If your proxy requires the authentication to be done using the NTLM method, use --proxy-ntlm, if it requires Digest use --proxy-digest.

If you use any one these user+password options but leave out the password part, curl will prompt for the password interactively.

Do note that when a program is run, its parameters might be possible to see when listing the running processes of the system. Thus, other users may be able to watch your passwords if you pass them as plain command line options. There are ways to circumvent this.


Forms are the general way a web site can present a HTML page with fields for the user to enter data in, and then press some kind of 'OK' or 'submit' button to get that data sent to the server. The server then typically uses the posted data to decide how to act. Like using the entered words to search in a database, or to add the info in a bug track system, display the entered address on a map or using the info as a login-prompt verifying that the user is allowed to see what it is about to see.

Of course there has to be some kind of program in the server end to receive the data you send. You cannot just invent something out of the air.


A GET-form uses the method GET, as specified in HTML like:

<form method="GET" action="junk.cgi">
<input type=text name="birthyear">
<input type=submit name=press value="OK">

In your favorite browser, this form will appear with a text box to fill in and a press-button labeled "OK". If you fill in '1905' and press the OK button, your browser will then create a new URL to get for you. The URL will get "junk.cgi?birthyear=1905&press=OK" appended to the path part of the previous URL.

If the original form was seen on the page "", the second page you'll get will become "".

Most search engines work this way.

To make curl do the GET form post for you, just enter the expected created URL:

curl ""


The GET method makes all input field names get displayed in the URL field of your browser. That's generally a good thing when you want to be able to bookmark that page with your given data, but it is an obvious disadvantage if you entered secret information in one of the fields or if there are a large amount of fields creating a very long and unreadable URL.

The HTTP protocol then offers the POST method. This way the client sends the data separated from the URL and thus you won't see any of it in the URL address field.

The form would look very similar to the previous one:

<form method="POST" action="junk.cgi">
<input type=text name="birthyear">
<input type=submit name=press value=" OK ">

And to use curl to post this form with the same data filled in as before, we could do it like:

curl -d "birthyear=1905&press=%20OK%20" 

This kind of POST will use the Content-Type application/x-www-form-urlencoded and is the most widely used POST kind.

The data you send to the server MUST already be properly encoded, curl will not do that for you. For example, if you want the data to contain a space, you need to replace that space with %20 etc. Failing to comply with this will most likely cause your data to be received wrongly and messed up.

File Upload POST

Back in late 1995 they defined an additional way to post data over HTTP. It is documented in the RFC 1867, why this method sometimes is referred to as RFC1867-posting.

This method is mainly designed to better support file uploads. A form that allows a user to upload a file could be written like this in HTML:

<form method="POST" enctype='multipart/form-data' action="upload.cgi">
<input type=file name=upload> <input type=submit name=press value="OK">

This clearly shows that the Content-Type about to be sent is multipart/form-data.

To post to a form like this with curl, you enter a command line like:

curl -F upload=@localfilename -F press=OK [URL] 

Hidden Fields

A very common way for HTML based application to pass state information between pages is to add hidden fields to the forms. Hidden fields are already filled in, they aren't displayed to the user and they get passed along just as all the other fields.

A similar example form with one visible field, one hidden field and one submit button could look like:

<form method="POST" action="foobar.cgi"> <input type=text name="birthyear"> <input 
type=hidden name="person" value="daniel"> <input type=submit name="press" value="OK"> 

To post this with curl, you won't have to think about if the fields are hidden or not. To curl they're all the same:

curl -d "birthyear=1905&press=OK&person=daniel" [URL] 

When you're about fill in a form and send to a server by using curl instead of a browser, you're of course very interested in sending a POST exactly the way your browser does.

An easy way to get to see this, is to save the HTML page with the form on your local disk, modify the 'method' to a GET, and press the submit button (you could also change the action URL if you want to).

You will then clearly see the data get appended to the URL, separated with a '?'-letter as GET forms are supposed to.


The perhaps best way to upload data to a HTTP server is to use PUT. Then again, this of course requires that someone put a program or script on the server end that knows how to receive a HTTP PUT stream.

Put a file to a HTTP server with curl:

curl -T uploadfile 


A HTTP request may include a 'referer' field (yes it is misspelled), which can be used to tell from which URL the client got to this particular resource. Some programs/scripts check the referer field of requests to verify that this wasn't arriving from an external site or an unknown page. While this is a stupid way to check something so easily forged, many scripts still do it. Using curl, you can put anything you want in the referer-field and thus more easily be able to fool the server into serving your request.

Use curl to set the referer field with:

curl -e 

User Agent

Very similar to the referer field, all HTTP requests may set the User-Agent field. It names what user agent (client) that is being used. Many applications use this information to decide how to display pages. Silly web programmers try to make different pages for users of different browsers to make them look the best possible for their particular browsers. They usually also do different kinds of javascript, vbscript etc.

At times, you will see that getting a page with curl will not return the same page that you see when getting the page with your browser. Then you know it is time to set the User Agent field to fool the server into thinking you're one of those browsers.

To make curl look like Internet Explorer on a Windows 2000 box:

curl -A "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" [URL] 

Or why not look like you're using Netscape 4.73 on a Linux (PIII) box:

curl -A "Mozilla/4.73 [en] (X11; U; Linux 2.2.15 i686)" [URL]


When a resource is requested from a server, the reply from the server may include a hint about where the browser should go next to find this page, or a new page keeping newly generated output. The header that tells the browser to redirect is Location:.

Curl does not follow Location: headers by default, but will simply display such pages in the same manner it display all HTTP replies. It does however feature an option that will make it attempt to follow the Location: pointers.

To tell curl to follow a Location:

curl -L

If you use curl to POST to a site that immediately redirects you to another page, you can safely use -L and -d/-F together. Curl will only use POST in the first request, and then revert to GET in the following operations.


The way the web browsers do "client side state control" is by using cookies. Cookies are just names with associated contents. The cookies are sent to the client by the server. The server tells the client for what path and host name it wants the cookie sent back, and it also sends an expiration date and a few more properties.

When a client communicates with a server with a name and path as previously specified in a received cookie, the client sends back the cookies and their contents to the server, unless of course they are expired.

Many applications and servers use this method to connect a series of requests into a single logical session. To be able to use curl in such occasions, we must be able to record and send back cookies the way the web application expects them. The same way browsers deal with them.

The simplest way to send a few cookies to the server when getting a page with curl is to add them on the command line like:

curl -b "name=Daniel" 

Cookies are sent as common HTTP headers. This is practical as it allows curl to record cookies simply by recording headers. Record cookies with curl by using the -D option like:

curl -D headers_and_cookies 

(Take note that the -c option described below is a better way to store cookies.)

Curl has a full blown cookie parsing engine built-in that comes to use if you want to reconnect to a server and use cookies that were stored from a previous connection (or handicrafted manually to fool the server into believing you had a previous connection). To use previously stored cookies, you run curl like:

curl -b stored_cookies_in_file 

Curl's "cookie engine" gets enabled when you use the -b option. If you only want curl to understand received cookies, use -b with a file that doesn't exist. Example, if you want to let curl understand cookies from a page and follow a location (and thus possibly send back cookies it received), you can invoke it like:

curl -b nada -L 

Curl has the ability to read and write cookie files that use the same file format that Netscape and Mozilla do. It is a convenient way to share cookies between browsers and automatic scripts. The -b switch automatically detects if a given file is such a cookie file and parses it, and by using the -c/--cookie-jar option you'll make curl write a new cookie file at the end of an operation:

curl -b cookies.txt -c newcookies.txt 


There are a few ways to do secure HTTP transfers. The by far most common protocol for doing this is what is generally known as HTTPS, HTTP over SSL. SSL encrypts all the data that is sent and received over the network and thus makes it harder for attackers to spy on sensitive information.

SSL (or TLS as the latest version of the standard is called) offers a truckload of advanced features to allow all those encryptions and key infrastructure mechanisms encrypted HTTP requires.

Curl supports encrypted fetches thanks to the freely available OpenSSL libraries. To get a page from a HTTPS server, simply run curl like:



In the HTTPS world, you use certificates to validate that you are the one you you claim to be, as an addition to normal passwords. Curl supports client-side certificates. All certificates are locked with a pass phrase, which you need to enter before the certificate can be used by curl. The pass phrase can be specified on the command line or if not, entered interactively when curl queries for it. Use a certificate with curl on a HTTPS server like:

curl -E mycert.pem 

curl also tries to verify that the server is who it claims to be, by verifying the server's certificate against a locally stored CA cert bundle. Failing the verification will cause curl to deny the connection. You must then use -k in case you want to tell curl to ignore that the server can't be verified.

More about server certificate verification and ca cert bundles can be read in the SSLCERTS document, available online here: 

Custom Request Elements

Doing fancy stuff, you may need to add or change elements of a single curl request.

For example, you can change the POST request to a PROPFIND and send the data as "Content-Type: text/xml" (instead of the default Content-Type) like this:

curl -d "<xml>" -H "Content-Type: text/xml" -X PROPFIND 

You can delete a default header by providing one without content. Like you can ruin the request by chopping off the Host: header:

curl -H "Host:" 

You can add headers the same way. Your server may want a "Destination:" header, and you can add it:

curl -H "Destination:" 


Many times when you run curl on a site, you'll notice that the site doesn't seem to respond the same way to your curl requests as it does to your browser's.

Then you need to start making your curl requests more similar to your browser's requests:

A very good helper to make sure you do this right, is the LiveHTTPHeader tool that lets you view all headers you send and receive with Mozilla/Firefox (even when using HTTPS).

A more raw approach is to capture the HTTP traffic on the network with tools such as ethereal or tcpdump and check what headers that were sent and received by the browser. (HTTPS makes this technique inefficient.)


Top updates

Bulletin Latest Past week Past month
Google Search


Old News ;-)

[Jun 08, 2011] Fun With HTTP Headers

Want to examine the headers of a site for yourself? Try curl:

curl -i

In the output of the above the first few lines are the headers, then there are a couple of line breaks, and then the body. If you just want to see the headers, and not the body, use the -I option instead of -i. Be forewarned, however, that some servers return different headers in this case, as curl will be requesting the data using a HEAD request rather than a GET request.

What I did to gather all of these headers was very similar. First, I downloaded an RDF dump of the Open Directory Project’s directory, and pulled out every URL from that file. Then, I stuck all of the domain names of these URL’s in a big database. A simple multithreaded Python script was used to download all of the index pages of these URL’s using PycURL and stick the headers and page contents in a database. When that was done, I had a database with 2,686,155 page responses and 23,699,737 response headers. The actual downloading of all of this took about a week.

This is, of course, not anywhere near a comprehensive survey of the web. Netcraft received responses from 70,392,567 sites in its August 2005 web survey, so I hit around 3.8% of them. Not bad, but I’m sure there’s a lot of interesting stuff I’m missing.

[Jun 08, 2011] Check Server HTTP Headers with CURL by George Notaras

October 6, 2006

As you may have noticed, I’ve changed my web site’s domain recently. Therefore, I had to redirect all requests to the new address. This has been done and it works as expected, but how about taking a closer look at the HTTP responses the web server returns to the client if an old URL is requested?

This is where CURL comes handy once again. CURL’s command line options include two very useful switches, -I and -L:

The combination of the above two switches results in having all the server responses’ headers printed to the terminal, until CURL receives a code other than 3xx.

So, here is a real-life example. I have made two major changes to my web site so far; one included a URL structure modification when I moved from a pure HTML web site to WordPress, while the second was a domain change from the free domain to the current paid domain name. So, this makes at least two permanent redirections. I say “at least”, because other necessary redirections could take place as well, for example, redirections of the version of the domain to the version, or redirections required for permalinks.

So, here is CURL’s output when I requested an old page of my web site:

$ curl -I -L
HTTP/1.1 301 Moved Permanently
Date: Fri, 06 Oct 2006 01:49:06 GMT
Server: Apache/2.2.2
Connection: close
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 301 Moved Permanently
Date: Fri, 06 Oct 2006 01:49:06 GMT
Server: Apache/2.2.2
Connection: close
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 301 Moved Permanently
Date: Fri, 06 Oct 2006 01:49:06 GMT
Server: Apache/2.2.2
Connection: close
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Date: Fri, 06 Oct 2006 01:49:06 GMT
Server: Apache/2.2.2
X-Powered-By: PHP/5.1.4
Status: 200 OK
Connection: close
Content-Type: text/html; charset=UTF-8

The above output shows that the client has to send 4 HTTP requests and receive 4 respective responses from the server in order to reach that old page’s final location:

  1. The first server response informs the client that the page has been permanently moved to the www version of the old domain.
  2. The second response indicates that the page has been permanently moved to the www version of the new domain using the old URL structure.
  3. The third indicates a permanent move to the new URL structure.
  4. The final response informs the client with a 200 OK code that it has reached the page’s final location.

In this example, CURL provides a clear view of what situation a browser, a search engine bot or any other HTTP client encounters when it tries to reach an old page.

I am not an expert, but I guess that too many redirects are not a good thing, not only by considering the small increase of the server load, but also that search engine bots might not like them very much. On the other hand, redirections are a necessary evil if you want links from other websites pointing to your old domain or your old URL structure to continue to be valid, which in fact adds “value” to your website, as search engine experts would say. So it’s a matter of choice.

[May 3 2008] submitting an html form with curl from bash

I am not sure if this is the best newsgroup for my question, so feel
free to redirect me.

I am trying to manipulate my ADSL modem via its web interface in a
shell script. Basically, I need to disable and reactive a certain
setting, something called ZIPB mode. I am assigned a dynamic IP by my
ISP, and when this changes, I need to reactivate ZIPB on the modem
manually (an unfortunate limitation on the manufacturer's part).

The HTML form looks like this:

# <i>disabled.</i>
# <FORM method="post" ACTION="/configuration/zipb.html/enable">
# <INPUT type="hidden" name="EmWeb_ns:vim:
4.ImZipbAgent:enabled" value="true">
# <INPUT type="hidden" name="EmWeb_ns:vim:3" value="/
# <INPUT type="submit" value="Enable">
# </FORM>

So, I try something like this in my shell script:


brackets () {
sed -e '
s/ /%20/g


input1=$(echo "EmWeb_ns:vim:4.ImZipbAgent:enabled"|brackets)"="$(echo
input2=$(echo "EmWeb_ns:vim:3"|brackets)"="$(echo "/configuration/

curl -d '"'$input1"&"$input2"&"$input3'"'
http://$user:$pass@copperjet/configuration/zipb.html/enable >2&1> /dev/

but all I get is a rather unhelpful reply:

curl: (52) Empty reply from server

Can anyone suggest ways of debugging this and/or easier ways to go
about this?

On a related note, I see that there is a book called from No Starch
called "Webbots, Spiders, and Screen Scrapers: A Guide to Developing
Internet Agents with PHP/CURL" which looks like it covers these techniques, but

a) I am not to keen on buying a book on a topic which I don't plan to
pursue further than this simple task, and

b) I am likewise not so keen on having to learn PHP just to enable me
to do this.

Thanks for any ideas,
-- Colin

Recommended Links

Softpanorama Top Visited

Softpanorama Recommended

cURL - Wikipedia, the free encyclopedia

cURL - Programs-Scripts Using Curl! forward standard GET proxy requests to a user@host ftp proxy Björn Stenberg
Curl::easy perl module for libcurl Georg Horn
cURL - Manual
cURL - Tutorial
cURL - Manual

WWWCurl - Perl extension interface for libcurl -

libcurl - the Perl Binding

The standard Perl WWW module, LWP should be used in most cases to work with the HTTP or FTP protocol from Perl. However, there are some cases where LWP doesn't perform well. One is speed and the other is paralellism. WWW::Curl is much faster, uses much less CPU cycles and it's capable of non-blocking parallel requests.

In some cases, for example when building a web crawler, cpu usage and parallel downloads are important considerations. It can be desirable to use WWW::Curl to do the heavy-lifting of a large number of downloads and wrap the resulting data into a Perl-friendly structure by HTTP::Response.

Getleft Tcl/Tk site grabber powered by Curl

PycURLA Python module interface to the cURL library.

HTTP extension for PHP Extended HTTP functionality for PHP.

curlpp A C++ wrapper for libcurl.

CurlFtpFS An FTP filesystem based on cURL and FUSE.

Curl HTTP Client - A simple but powerful curl-based HTTP client.

REXX/CURL - A Rexx external function package that provides an interface to the cURL package.


cURL - Manual


You always find news about what's going on as well as the latest versions from the curl web pages, located at:


Get the main page from netscape's web-server:


Get the root README file from funet's ftp-server:


Get a web page from a server using port 8000:


Get a list of the root directory of an FTP site:


Get a gopher document from funet's gopher server:

curl gopher://

Get the definition of curl from a dictionary:

curl dict://

Fetch two documents at once:



Get a web page and store in a local file:

curl -o thatpage.html

Get a web page and store in a local file, make the local file get the name of the remote document (if no file name part is specified in the URL, this will fail):

curl -O

Fetch two files and store them with their remote names:

curl -O -O



To ftp files using name+passwd, include them in the URL like:

curl ftp://name:passwd@machine.domain:port/full/path/to/file

or specify them with the -u flag like

curl -u name:passwd ftp://machine.domain:port/full/path/to/file


The HTTP URL doesn't support user and password in the URL string. Curl does support that anyway to provide a ftp-style interface and thus you can pick a file like:

curl http://name:passwd@machine.domain/full/path/to/file

or specify user and password separately like in

curl -u name:passwd http://machine.domain/full/path/to/file

NOTE! Since HTTP URLs don't support user and password, you can't use that style when using Curl via a proxy. You must use the -u style fetch during such circumstances.


Probably most commonly used with private certificates, as explained below.


Curl features no password support for gopher.


Get an ftp file using a proxy named my-proxy that uses port 888:

curl -x my-proxy:888

Get a file from a HTTP server that requires user and password, using the same proxy as above:

curl -u user:passwd -x my-proxy:888 http://www.get.this/

Some proxies require special authentication. Specify by using -U as above:

curl -U user:passwd -x my-proxy:888 http://www.get.this/

See also the environment variables Curl support that offer further proxy control.


With HTTP 1.1 byte-ranges were introduced. Using this, a client can request to get only one or more subparts of a specified document. Curl supports this with the -r flag.

Get the first 100 bytes of a document:

curl -r 0-99 http://www.get.this/

Get the last 500 bytes of a document:

curl -r -500 http://www.get.this/

Curl also supports simple ranges for FTP files as well. Then you can only specify start and stop position.

Get the first 100 bytes of a document using FTP:

curl -r 0-99 ftp://www.get.this/README



Upload all data on stdin to a specified ftp site:

curl -T -

Upload data from a specified file, login with user and password:

curl -T uploadfile -u user:passwd

Upload a local file to the remote site, and use the local file name remote too:

curl -T uploadfile -u user:passwd

Upload a local file to get appended to the remote file using ftp:

curl -T localfile -a

Curl also supports ftp upload through a proxy, but only if the proxy is configured to allow that kind of tunneling. If it does, you can run curl in a fashion similar to:

curl --proxytunnel -x proxy:port -T localfile ftp


Upload all data on stdin to a specified http site:

curl -T -

Note that the http server must've been configured to accept PUT before this can be done successfully.

For other ways to do http data upload, see the POST section below.


If curl fails where it isn't supposed to, if the servers don't let you in, if you can't understand the responses: use the -v flag to get verbose fetching. Curl will output lots of info and what it sends and receives in order to let the user see all client-server interaction (but it won't show you the actual data).

curl -v

To get even more details and information on what curl does, try using the --trace or --trace-ascii options with a given file name to log to, like this:

curl --trace trace.txt


Different protocols provide different ways of getting detailed information about specific files/documents. To get curl to show detailed information about a single file, you should use -I/--head option. It displays all available info on a single file for HTTP and FTP. The HTTP information is a lot more extensive.

For HTTP, you can get the header information (the same as -I would show) shown before the data by using -i/--include. Curl understands the -D/--dump-header option when getting files from both FTP and HTTP, and it will then store the headers in the specified file.

Store the HTTP headers in a separate file (headers.txt in the example):

curl --dump-header headers.txt

Note that headers stored in a separate file can be very useful at a later time if you want curl to use cookies sent by the server. More about that in the cookies section.


It's easy to post data using curl. This is done using the -d <data> option. The post data must be urlencoded.

Post a simple "name" and "phone" guestbook.

        curl -d "name=Rafael%20Sagula&phone=3320780"       

How to post a form with curl, lesson #1:

Dig out all the <input> tags in the form that you want to fill in. (There's a perl program called on the curl site that helps with this).

If there's a "normal" post, you use -d to post. -d takes a full "post string", which is in the format


The 'variable' names are the names set with "name=" in the <input> tags, and the data is the contents you want to fill in for the inputs. The data must be properly URL encoded. That means you replace space with + and that you write weird letters with %XX where XX is the hexadecimal representation of the letter's ASCII code.


(page located at

        <form action="post.cgi" method="post">
        <input name=user size=10>

        <input name=pass type=password size=10>
        <input name=id type=hidden value="blablabla">
        <input name=ding value="submit">

We want to enter user 'foobar' with password '12345'.

To post to this, you enter a curl command line like:

        curl -d "user=foobar&pass=12345&id=blablabla&dig=submit"  (continues)

While -d uses the application/x-www-form-urlencoded mime-type, generally understood by CGI's and similar, curl also supports the more capable multipart/form-data type. This latter type supports things like file upload.

-F accepts parameters like -F "name=contents". If you want the contents to be read from a file, use <@filename> as contents. When specifying a file, you can also specify the file content type by appending ';type=<mime type>' to the file name. You can also post the contents of several files in one field. For example, the field name 'coolfiles' is used to send three files, with different content types using the following syntax:

        curl -F "coolfiles=@fil1.gif;type=image/gif,fil2.txt,fil3.html"

If the content-type is not specified, curl will try to guess from the file extension (it only knows a few), or use the previously specified type (from an earlier file if several files are specified in a list) or else it will using the default type 'text/plain'.

Emulate a fill-in form with -F. Let's say you fill in three fields in a form. One field is a file name which to post, one field is your name and one field is a file description. We want to post the file we have written named "cooltext.txt". To let curl do the posting of this data instead of your favourite browser, you have to read the HTML source of the form page and find the names of the input fields. In our example, the input field names are 'file', 'yourname' and 'filedescription'.

        curl -F "file=@cooltext.txt" -F "yourname=Daniel"              -F "filedescription=Cool text file with cool text inside"    

To send two files in one post you can do it in two ways:

  1. Send multiple files in a single "field" with a single field name:

curl -F "pictures=@dog.gif,cat.gif"

2. Send two fields with two field names:

curl -F "docpicture=@dog.gif" -F "catpicture=@cat.gif"


A HTTP request has the option to include information about which address that referred to actual page. Curl allows you to specify the referrer to be used on the command line. It is especially useful to fool or trick stupid servers or CGI scripts that rely on that information being available or contain certain data.

curl -e

NOTE: The referer field is defined in the HTTP spec to be a full URL.


A HTTP request has the option to include information about the browser that generated the request. Curl allows it to be specified on the command line. It is especially useful to fool or trick stupid servers or CGI scripts that only accept certain browsers.


curl -A 'Mozilla/3.0 (Win95; I)'

Other common strings:
'Mozilla/3.0 (Win95; I)' Netscape Version 3 for Windows 95 'Mozilla/3.04 (Win95; U)' Netscape Version 3 for Windows 95

    'Mozilla/2.02 (OS/2; U)'     Netscape Version 2 for OS/2
    'Mozilla/4.04 [en] (X11; U; AIX 4.2; Nav)'           NS for AIX
    'Mozilla/4.05 [en] (X11; U; Linux 2.0.32 i586)'      NS for Linux

Note that Internet Explorer tries hard to be compatible in every way: 'Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)' MSIE for W95

Mozilla is not the only possible User-Agent name: 'Konqueror/1.0' KDE File Manager desktop client 'Lynx/2.7.1 libwww-FM/2.14' Lynx command line browser


Cookies are generally used by web servers to keep state information at the client's side. The server sets cookies by sending a response line in the headers that looks like 'Set-Cookie: <data>' where the data part then typically contains a set of NAME=VALUE pairs (separated by semicolons ';' like "NAME1=VALUE1; NAME2=VALUE2;"). The server can also specify for what path the "cookie" should be used for (by specifying "path=value"), when the cookie should expire ("expire=DATE"), for what domain to use it ("domain=NAME") and if it should be used on secure connections only ("secure").

If you've received a page from a server that contains a header like:

Set-Cookie: sessionid=boo123; path="/foo";

it means the server wants that first pair passed on when we get anything in a path beginning with "/foo".

Example, get a page that wants my name passed in a cookie:

curl -b "name=Daniel"

Curl also has the ability to use previously received cookies in following sessions. If you get cookies from a server and store them in a file in a manner similar to:

curl --dump-header headers

... you can then in a second connect to that (or another) site, use the cookies from the 'headers' file like:

curl -b headers

While saving headers to a file is a working way to store cookies, it is however error-prone and not the prefered way to do this. Instead, make curl save the incoming cookies using the well-known netscape cookie format like this:

curl -c cookies.txt

Note that by specifying -b you enable the "cookie awareness" and with -L you can make curl follow a location: (which often is used in combination with cookies). So that if a site sends cookies and a location, you can use a non-existing file to trigger the cookie awareness like:

curl -L -b empty.txt

The file to read cookies from must be formatted using plain HTTP headers OR as netscape's cookie file. Curl will determine what kind it is based on the file contents. In the above command, curl will parse the header and store the cookies received from curl will send to the server the stored cookies which match the request as it follows the location. The file "empty.txt" may be a non-existant file.

Alas, to both read and write cookies from a netscape cookie file, you can set both -b and -c to use the same file:

curl -b cookies.txt -c cookies.txt


The progress meter exists to show a user that something actually is happening. The different fields in the output have the following meaning:

  % Total    % Received % Xferd  Average Speed          Time             Curr.
                                 Dload  Upload Total    Current  Left    Speed
  0  151M    0 38608    0     0   9406      0  4:41:43  0:00:04  4:41:39  9287

From left-to-right:

   %             - percentage completed of the whole transfer
   Total         - total size of the whole expected transfer
   %             - percentage completed of the download
   Received      - currently downloaded amount of bytes
   %             - percentage completed of the upload
   Xferd         - currently uploaded amount of bytes
   Average Speed
   Dload         - the average transfer speed of the download
   Average Speed
   Upload        - the average transfer speed of the upload

Time Total - expected time to complete the operation Time Current - time passed since the invoke Time Left - expected time left to completetion Curr.Speed - the average transfer speed the last 5 seconds (the first

5 seconds of a transfer is based on less time of course.)

The -# option will display a totally different progress bar that doesn't need much explanation!


Curl allows the user to set the transfer speed conditions that must be met to let the transfer keep going. By using the switch -y and -Y you can make curl abort transfers if the transfer speed is below the specified lowest limit for a specified time.

To have curl abort the download if the speed is slower than 3000 bytes per second for 1 minute, run:

curl -Y 3000 -y 60

This can very well be used in combination with the overall time limit, so that the above operatioin must be completed in whole within 30 minutes:

curl -m 1800 -Y 3000 -y 60

Forcing curl not to transfer data faster than a given rate is also possible, which might be useful if you're using a limited bandwidth connection and you don't want your transfer to use all of it (sometimes referred to as "bandwith throttle").

Make curl transfer data no faster than 10 kilobytes per second:

curl --limit-rate 10K


curl --limit-rate 10240

Or prevent curl from uploading data faster than 1 megabyte per second:

curl -T upload --limit-rate 1M

When using the --limit-rate option, the transfer rate is regulated on a per-second basis, which will cause the total transfer speed to become lower than the given number. Sometimes of course substantially lower, if your transfer stalls during periods.


Curl automatically tries to read the .curlrc file (or _curlrc file on win32 systems) from the user's home dir on startup.

The config file could be made up with normal command line switches, but you can also specify the long options without the dashes to make it more readable. You can separate the options and the parameter with spaces, or with = or :. Comments can be used within the file. If the first letter on a line is a '#'-letter the rest of the line is treated as a comment.

If you want the parameter to contain spaces, you must inclose the entire parameter within double quotes ("). Within those quotes, you specify a quote as \".

NOTE: You must specify options and their arguments on the same line.

Example, set default time out and proxy in a config file:

#We  want a 30 minute timeout:
        -m 1800
#. .. and we use a proxy for all accesses:
        proxy =

White spaces ARE significant at the end of lines, but all white spaces leading up to the first characters of each line are ignored.

Prevent curl from reading the default file by using -q as the first command line parameter, like:

curl -q

Force curl to get and display a local help page in case it is invoked without URL by making a config file similar to:

#default  url to get
        url = ""

You can specify another config file to be read by using the -K/--config flag. If you set config file name to "-" it'll read the config from stdin, which can be handy if you want to hide options from being visible in process tables etc:

echo "user = user:passwd" | curl -K -


When using curl in your own very special programs, you may end up needing to pass on your own custom headers when getting a web page. You can do this by using the -H flag.

Example, send the header "X-you-and-me: yes" to the server when getting a page:

curl -H "X-you-and-me: yes"

This can also be useful in case you want curl to send a different text in a header than it normally does. The -H header you specify then replaces the header curl would normally send. If you replace an internal header with an empty one, you prevent that header from being sent. To prevent the Host: header from being used:

curl -H "Host:"


Do note that when getting files with the ftp:// URL, the given path is relative the directory you enter. To get the file 'README' from your home directory at your ftp site, do:


But if you want the README file from the root directory of that very same site, you need to specify the absolute file name:


(I.e with an extra slash in front of the file name.)

FTP and firewalls

The FTP protocol requires one of the involved parties to open a second connction as soon as data is about to get transfered. There are two ways to do this.

The default way for curl is to issue the PASV command which causes the server to open another port and await another connection performed by the client. This is good if the client is behind a firewall that don't allow incoming connections.

curl ftp

If the server for example, is behind a firewall that don't allow connections on other ports than 21 (or if it just doesn't support the PASV command), the other way to do it is to use the PORT command and instruct the server to connect to the client on the given (as parameters to the PORT command) IP number and port.

The -P flag to curl supports a few different options. Your machine may have several IP-addresses and/or network interfaces and curl allows you to select which of them to use. Default address can also be used:

curl -P - ftp

Download with PORT but use the IP address of our 'le0' interface (this does not work on windows):

curl -P le0 ftp

Download with PORT but use as our IP address to use:

curl -P ftp


Get a web page from a server using a specified port for the interface:

curl --interface eth0:1


curl --interface


Secure HTTP requires SSL libraries to be installed and used when curl is built. If that is done, curl is capable of retrieving and posting documents using the HTTPS procotol.



Curl is also capable of using your personal certificates to get/post files from sites that require valid certificates. The only drawback is that the certificate needs to be in PEM-format. PEM is a standard and open format to store certificates with, but it is not used by the most commonly used browsers (Netscape and MSIE both use the so called PKCS#12 format). If you want curl to use the certificates you use with your (favourite) browser, you may need to download/compile a converter that can convert your browser's formatted certificates to PEM formatted ones. This kind of converter is included in recent versions of OpenSSL, and for older versions Dr Stephen N. Henson has written a patch for SSLeay that adds this functionality. You can get his patch (that requires an SSLeay installation) from his site at:

Example on how to automatically retrieve a document using a certificate with a personal password:

curl -E /path/to/cert.pem:password

If you neglect to specify the password on the command line, you will be prompted for the correct password before any data can be received.

Many older SSL-servers have problems with SSLv3 or TLS, that newer versions of OpenSSL etc is using, therefore it is sometimes useful to specify what SSL-version curl should use. Use -3, -2 or -1 to specify that exact SSL version to use (for SSLv3, SSLv2 or TLSv1 respectively):

curl -2

Otherwise, curl will first attempt to use v3 and then v2.

To use OpenSSL to convert your favourite browser's certificate into a PEM formatted one that curl can use, do something like this (assuming netscape, but IE is likely to work similarly):

You start with hitting the 'security' menu button in netscape.

Select 'certificates->yours' and then pick a certificate in the list

Press the 'export' button

enter your PIN code for the certs

select a proper place to save it

Run the 'openssl' application to convert the certificate. If you cd to the openssl installation, you can do it like:

#. /apps/openssl pkcs12 -in [file you saved] -clcerts -out [PEMfile]


To continue a file transfer where it was previously aborted, curl supports resume on http(s) downloads as well as ftp uploads and downloads.

Continue downloading a document:

curl -C - -o file

Continue uploading a document(*1):

curl -C - -T file

Continue downloading a document from a web server(*2):

curl -C - -o file

(*1) = This requires that the ftp server supports the non-standard command

SIZE. If it doesn't, curl will say so.

(*2) = This requires that the web server supports at least HTTP/1.1. If it

doesn't, curl will say so.


HTTP allows a client to specify a time condition for the document it requests. It is If-Modified-Since or If-Unmodified-Since. Curl allow you to specify them with the -z/--time-cond flag.

For example, you can easily make a download that only gets performed if the remote file is newer than a local copy. It would be made like:

curl -z local.html

Or you can download a file only if the local file is newer than the remote one. Do this by prepending the date string with a '-', as in:

curl -z -local.html

You can specify a "free text" date as condition. Tell curl to only download the file if it was updated since yesterday:

curl -z yesterday

Curl will then accept a wide range of date formats. You always make the date check the other way around by prepending it with a dash '-'.


For fun try

        curl dict://
        curl dict://
        curl dict://

Aliases for 'm' are 'match' and 'find', and aliases for 'd' are 'define' and 'lookup'. For example,

curl dict://

Commands that break the URL description of the RFC (but not the DICT protocol) are

        curl dict://
        curl dict://

Authentication is still missing (but this is not required by the RFC)


If you have installed the OpenLDAP library, curl can take advantage of it and offer ldap:// support.

LDAP is a complex thing and writing an LDAP query is not an easy task. I do advice you to dig up the syntax description for that elsewhere. Two places that might suit you are:

Netscape's "Netscape Directory SDK 3.0 for C Programmer's Guide Chapter 10: Working with LDAP URLs":

RFC 2255, "The LDAP URL Format"

To show you an example, this is now I can get all people from my local LDAP server that has a certain sub-domain in their email address:

curl -B "ldap://*"

If I want the same info in HTML format, I can get it by not using the -B (enforce ASCII) flag.


Curl reads and understands the following environment variables:


They should be set for protocol-specific proxies. General proxy should be set with ALL_PROXY

A comma-separated list of host names that shouldn't go through any proxy is set in (only an asterisk, '*' matches all hosts) NO_PROXY If a tail substring of the domain-path for a host matches one of these strings, transactions with that node will not be proxied.

The usage of the -x/--proxy flag overrides the environment variables.


Unix introduced the .netrc concept a long time ago. It is a way for a user to specify name and password for commonly visited ftp sites in a file so that you don't have to type them in each time you visit those sites. You realize this is a big security risk if someone else gets hold of your passwords, so therefor most unix programs won't read this file unless it is only readable by yourself (curl doesn't care though).

Curl supports .netrc files if told so (using the -n/--netrc and --netrc-optional options). This is not restricted to only ftp, but curl can use it for all protocols where authentication is used.

A very simple .netrc file could look something like:

machine login iamdaniel password mysecret


To better allow script programmers to get to know about the progress of curl, the -w/--write-out option was introduced. Using this, you can specify what information from the previous transfer you want to extract.

To display the amount of bytes downloaded together with some text and an ending newline:

curl -w 'We downloaded %{size_download} bytes\n'


Curl supports kerberos4 for FTP transfers. You need the kerberos package installed and used at curl build time for it to be used.

First, get the krb-ticket the normal way, like with the kauth tool. Then use curl in way similar to:

curl --krb4 private -u username:fakepwd

There's no use for a password on the -u switch, but a blank one will make curl ask for one and you already entered the real password to kauth.


The curl telnet support is basic and very easy to use. Curl passes all data passed to it on stdin to the remote server. Connect to a remote telnet server using a command line similar to:

curl telnet://

And enter the data to pass to the server on stdin. The result will be sent to stdout or to the file you specify with -o.

You might want the -N/--no-buffer option to switch off the buffered output for slow connections or similar.

Pass options to the telnet protocol negotiation, by using the -t option. To tell the server we use a vt100 terminal, try something like:

curl -tTTYPE=vt100 telnet://

Other interesting options for it -t include:

NOTE: the telnet protocol does not specify any way to login with a specified user and password so curl can't do that automatically. To do that, you need to track when the login prompt is received and send the username and password accordingly.


Specifying multiple files on a single command line will make curl transfer all of them, one after the other in the specified order.

libcurl will attempt to use persistant connections for the transfers so that the second transfer to the same host can use the same connection that was already initiated and was left open in the previous transfer. This greatly decreases connection time for all but the first transfer and it makes a far better use of the network.

Note that curl cannot use persistant connections for transfers that are used in subsequence curl invokes. Try to stuff as many URLs as possible on the same command line if they are using the same host, as that'll make the transfers faster. If you use a http proxy for file transfers, practicly all transfers will be persistant.

Persistant connections were introduced in curl 7.7.


For your convenience, we have several open mailing lists to discuss curl, its development and things relevant to this. Get all info at The lists available are:


Users of the command line tool. How to use it, what doesn't work, new features, related tools, questions, news, installations, compilations, running, porting etc.


Developers using or developing libcurl. Bugs, extensions, improvements.


Low-traffic. Only announcements of new public versions.


Using the curl functions in PHP. Everything curl with a PHP angle. Or PHP with a curl angle.


Receives notifications on all CVS commits done to the curl source module. This can become quite a large amount of mails during intense development, be aware. This is for us who like email...


Receives notifications on all CVS commits done to the curl www module (basicly the web site). This can become quite a large amount of mails during intense changing, be aware. This is for us who like email...

Please direct curl questions, feature requests and trouble reports to one of these mailing lists instead of mailing any individual.



Groupthink : Understanding Micromanagers and Control Freaks : Toxic Managers : BureaucraciesHarvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Two Party System as Polyarchy : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy


Skeptical Finance : John Kenneth Galbraith : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Oscar Wilde : Talleyrand : Somerset Maugham : War and Peace : Marcus Aurelius : Eric Hoffer : Kurt Vonnegut : Otto Von Bismarck : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Oscar Wilde : Bernard Shaw : Mark Twain Quotes


Vol 26, No.1 (January, 2013) Object-Oriented Cult : Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks: The efficient markets hypothesis : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law


Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor


The Last but not Least

Copyright © 1996-2014 by Dr. Nikolai Bezroukov. was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine. This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting hosting of this site with different providers to distribute and speed up access. Currently there are two functional mirrors: (the fastest) and


The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: February 19, 2014