Is "curl -u username:password http://example.com" secure?

It is unsafe, because cURL defaults to basic authentication where HTTP protocol sends your password in clear text. When you specify the username:password string, it gets converted to a BASE64 string in the HTTP header:

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: text/html
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

Anyone able to intercept your HTTP traffic (your provider, anyone accessing the same wireless AP as you etc) will be able to recover the password by simply using an online BASE64 converter.

HTTPS protocol will make things better by establishing an encrypted connection before this header is sent, preventing the password from being revealed. However, this only applies if the user pays attention when asked to confirm unknown certificates, authorize security exceptions and so on.

Note that command arguments might be available for other users on the same machine to see, e.g. ps -ef, /proc filesystem, in you bash history, and in your terminal log (thanks for @Lambert's comment noting this). cURL on some platforms attempts to hide the password so for example with ps -ef you are likely to see blank space instead of a password. However, instead of passing the password as a command line argument, having cURL directly prompt for a password is better, as discussed on the cURL faq.


It is not secure. Command line parameters are visible to all users.

Tags:

Security

Curl