curl, it's got u
#curl#http#security
David Owens

David Owens @fig-rolls

About: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Joined:
May 14, 2025

curl, it's got u

Publish Date: May 14
1 0

I like curl it's available as a command line tool and is pretty ubiquitous across platforms.

This allows me to compose a http request against a test environment, check everything worked as expected and then copy that request from my terminal with the intent of running on production.

Easy - it's all just plain text now, do a find-and-replace on the hostname and it's ready to go!

Here's a hypothetical I've prepared featuring some very important resources I'm going to alter.

curl -X DELETE https://prod.server.net/fig-rolls

However an interface like that should want to authenticate who is conducting such a privileged operation. For this, many still use Basic Auth.

Basic Auth just needs me to base64 encode the username and password and pop it in the Authorization header, so I'll just grab the password out of the secrets management system and do that...

echo 'admin:p4ssw0rd' | base64

(Glad we're spending 5K a year on Vault to protect that /s)

OK, it's ready:
curl -H 'Authorization: YWRtaW46cDRzc3cwcmQK' -X DELETE https://prod.server.net/fig-rolls

To get that run in production it might require me to:

  • send it to a colleague
  • commit to a git repository
  • document in some implementation plan (change management)

You really don't want to put that Authorization header value in any of those.
echo YWRtaW46cDRzc3cwcmQK | base64 --decode

Yeah, no.

But here curl can help you, with -u, you --user you.

curl -u admin -X DELETE https://prod.server.net/fig-rolls

Note there is no secret or encoding of a secret in the command, instead, you get an interactive prompt!

Enter host password for user 'admin':

No longer do you have to instruct someone (or future you) how to encode the password and modify the curl command. Just retrieve it when needed and supply to the prompt, curl takes care of the encoding and addition of the header for you.

OK I'm off to rotate that password above now. Get some special characters in it and make it longerer.

Here we go: .$@[BD:O]_'=M0H;mzkgLOUr1

And yes, here we have another nice benefit of using the interactive prompt. I no longer have to worry about escaping that lot correctly in a shell.

There are other benefits to avoiding secrets being present in any commands you are running in a shell, more knowledgable people feel free to chime in on the comments.

If you want to know more around authentication with curl this is an excellent summary of options available including alternate schemes to Basic Auth and how to authenticate against proxies.
https://everything.curl.dev/http/auth.html

Thanks for reading.

Comments 0 total

    Add comment