If you ever worked with APIs or tested HTTPS endpoints using curl, you’ve probably run into a frustrating SSL error — especially when dealing with self-signed certificates or local environments. To quickly get past it, many developers use the -k or —insecure flag to “ignore SSL”. But what exactly does this do? And is it safe?
In this article, we’ll explore how curl handles SSL verification, what happens when you bypass it using -k, and — most importantly — when doing so is acceptable or poses a serious security risk. Whether you’re debugging a local server or building automation scripts, understanding this tiny flag can save you time and possibly protect you from a security breach.
What is SSL Verification in cURL?
When you make an HTTPS request using curl, it doesn’t just connect to the server it also verifies that the server’s SSL/TLS certificate is valid and trustworthy. This process is called SSL certificate verification, and it’s an important security feature built into curl by default.
Why it matters:
SSL (Secure Sockets Layer), or more accurately TLS (Transport Layer Security), is what keeps your data encrypted when sent over the internet. Before curl sends any data to the server, it checks:
- Is the certificate issued by a trusted Certificate Authority (CA)?
- Is the certificate expired or still valid?
- Does the certificate match the domain name you’re connecting to?
If any of these checks fail, curl will stop the request and return an error like:
curl: (60) SSL certificate problem: self signed certificateThis behavior is intentional and protective; it prevents you from accidentally sending sensitive data to a potentially malicious or misconfigured server.
curl https://example.com
# If the SSL cert is invalid or untrusted, you'll see an error.So when you see an SSL error in curl, it’s not a bug; it’s a warning that something might be wrong with the server’s security setup.
How to Ignore SSL in cURL
If you’re working with a local server, a staging environment, or an internal tool using a self-signed or misconfigured certificate, curl will throw an SSL error by default. In such cases when you’re sure the connection is safe you can bypass SSL certificate verification using the -k or --insecure flag and you have two options: the basic and the long version syntax.
Basic syntax:
curl -k https://your-url.comLong version:
curl --insecure https://your-url.comThis tells curl to skip the SSL certificate checks entirely. The request will go through, even if the certificate is invalid, expired, or self-signed.
However, using -k makes your connection vulnerable to man-in-the-middle (MITM) attacks because you’re disabling the very mechanism that ensures you’re talking to the correct server. That’s why this flag should only be used in specific scenarios, namely:
- In trusted environments (like your local machine)
- For debugging or testing purposes
- With full awareness of the security implications
Never use -k in production scripts, on public networks, or with sensitive data.
When is it Okay to Ignore SSL?
While skipping SSL verification with curl -k is generally discouraged, there are a few limited, controlled scenarios where it’s acceptable, even practical to use it. The key is understanding the context and risks. Safe use cases include:
Local Development
- You’re working on
localhostwith a self-signed certificate. - The SSL cert isn’t from a trusted Certificate Authority (CA), but you trust it because you generated it yourself.
Testing/Staging Environments
- Temporary systems where security isn’t the top priority (yet).
- For example, automated tests or internal QA setups using mock data.
Internal or Isolated Networks
- Servers are behind a firewall or VPN, and both client and server are under your full control.
- No public internet exposure, and risk of interception is extremely low.
Short-Term Debugging
- You’re quickly diagnosing an issue with an endpoint and want to isolate the problem without worrying about SSL errors.
- As long as you remember to remove the flag later
Still, be cautious. Even in these “safe” situations, it’s better practice to:
- Use tools like
mkcertto generate trusted certs for local dev. - Add your self-signed cert to your system’s trust store.
- Fix the SSL issue instead of working around it permanently.
Using curl -k should always be a temporary workaround, not a long-term solution.
Why Ignoring SSL in Production Is Dangerous
Using the -k or --insecure flag in production environments might seem like a quick fix, but it’s one of the riskiest shortcuts you can take. SSL/TLS is what protects data in transit, verifies the identity of servers, and prevents third parties from intercepting or altering your data. Disabling it effectively removes all of that protection.
Here’s why it’s a bad idea in production:
- MITM Attacks: If you’ve turned off SSL verification, bad actors can intercept your data or impersonate the server, which is especially bad on a public Wi-Fi network or cloud server.
- Insecure Data: All information sent over an insecure connection is at risk of interception, from login details, API keys, and more.
- Break HTTPS: SSL certificates are how you guarantee you’re not talking to a hijacked or faked server — ignoring SSL removes this safety net.
- Non-Compliance: Safety, security, and privacy regulations like SOC 2, GDPR and others require data to be protected, and ignoring SSL violates those standards.
- Missing Real Security Issues: In normal circumstances you’ll get SSL errors regarding expired or revoked certificates — by ignoring SSL certificates you have no way of knowing those errors are being thrown.
Alternatives to Ignoring SSL with cURL
As a developer you have other, safer, options to resolve SSL-related issues rather than using curl -k to bypass SSL verification. Let’s talk about some of the options:
1. Use a Trusted Certificate
The most straightforward fix is to install a valid SSL certificate issued by a trusted Certificate Authority (CA). You can get one for free using:
- Let’s Encrypt
- Cloudflare SSL (for proxies or edge)
This ensures your certificate will pass cURL’s default verification.
2. Use mkcert for Local Development
If you’re working locally and don’t want to mess with full CA signing, mkcert is a great tool. It creates locally-trusted development certificates without requiring the -k flag.
mkcert localhostThen, configure your server to use the generated certificate, and cURL won’t complain.
3. Add the Certificate to Your Trusted Store
If you’re using a self-signed certificate, you can explicitly trust it by adding it to your system’s certificate store or passing it to curl using –cacert.
curl --cacert /path/to/certificate.pem https://your.server.comThis lets cURL verify SSL without disabling it entirely.
4. Fix the Root Issue
Often, SSL issues are due to misconfiguration: expired certs, wrong domain names, or missing intermediate certs. It’s better to:
- Regenerate the certificate properly
- Check the certificate chain
- Ensure the server is serving the full certificate bundle
5. Use Environment-Based Logic (Advanced)
If you’re writing scripts or apps, consider toggling SSL verification based on environment variables:
if ["$ENV" = "production"]; then
crul https://api.yourdomain.com
else
curl -k https://dev.api.yourdomain.com
fiKeep in mind that even in dev, it’s better to fix SSL instead of ignoring it.
Best Practices When Ignoring SSL with cURL
Rather than unlearn bad habits, it’s best to use best practices from the jump. This is especially true when working work cURL and SSL. Using curl -k to ignore SSL might be more convenient, but as we discussed, creates security risks where none need to exist. Here are some best practices to follow:
Avoid -k in Scripts and Automation
Unless you have a very specific reason not to, always verify certificates. Don’t hardcode -k into shell scripts, production systems, or CI pipelines. It can create silent vulnerabilities. You may forget to undo that change and create silent, avoidable, vulnerabilities.
Address the Root Problem
Rather than hide the problem with –insecure, solve the underlying problem by:
- Using a valid certificate
- Making sure the hoestname matches
- Checking that the full certificate is provided by the serverIf SSL verification fails, try to solve the root cause:
Use Environment-Specific Certificates
Use tools like mkcert for local development and trusted CA-issued certificates for production. This keeps dev environments flexible without compromising prod security.
Use –cacert or –cert Instead of -k
If you’re working with internal or self-signed certs, provide cURL with a trusted cert directly:
curl --cacert /path/to/ca.pem https://your-server.comThis maintains security while allowing for non-public certs.
Document and Review Exceptions
If you ever need to disable SSL verification (even temporarily), document why, where, and when and include a reminder to fix it. Regularly review your code and scripts for insecure flags like -k.
Educate Your Team
Sometimes shortcuts are copied without understanding the risks. Make sure your team knows:
- What
-kdoes - When it’s appropriate (rarely)
- Safer alternatives they can use
Conclusion
Even though curl -k and the –insecure flag are really convenient during development, hardcoding them into your script or CI/CD pipeline is a bad idea. Other than the security issues it creates, you might forget you put them in and create a security problem where none needed to exist.
Key Takeaways:
curl -kdisables SSL verification.- There are really specific situations in which it’s okay to ignore SSL: local development, staging, on internal networks, and when you’re debugging.
- Ignoring SSL in a production setting can lead to data leaks, attacks form bad actors, and more.
- Use trusted certs, mkcert, or –cacert instead of curl -k.
- Fix the underlying issue with your SSL instead of ignoring it.
SSL certificates exist for a reason — protecting data, combating spoofed or hijacked servers, and more — and being careless with where you use cURL to ignore SSL is bad practice. With that being said, we know you’re going to do it anyway, so at least do it properly.
