cURL Command Standards

Beginner

Enforce consistent cURL command formatting — required flags, header conventions, body formatting, and security practices for reproducible and safe HTTP requests.

File Patterns

**/*.sh**/*.bash**/Makefile

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# cURL Command Standards

## Rule
All cURL commands in scripts MUST include -sS flags, explicit Content-Type headers for request bodies, and use environment variables for credentials.

## Required Flags for Scripts
```bash
# ALWAYS use in automated scripts
curl -sS \              # Silent + show errors
  --fail-with-body \    # Non-zero exit on HTTP errors
  --compressed \         # Accept compressed responses
  -H "Content-Type: application/json" \  # Explicit content type
  https://api.example.com/endpoint
```

## Flag Meanings
| Flag | Purpose | When to Use |
|------|---------|-------------|
| -s | Silent (no progress) | Always in scripts |
| -S | Show errors even in silent mode | Always with -s |
| -f | Fail on HTTP errors | CI/CD scripts |
| --compressed | Accept gzip/deflate/br | Always |
| -w | Format output | Response parsing |
| -o | Output to file | Downloads |
| -v | Verbose debug output | Interactive debugging only |

## Command Formatting

### Good — Readable, Multi-line
```bash
curl -sS -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "Alice", "role": "admin"}' \
  "https://api.example.com/users"
```

### Bad — One-liner, Hardcoded Credentials
```bash
curl -X POST -H "Authorization: Bearer sk-1234567890" -d '{"name":"Alice"}' https://api.example.com/users
```

## Credential Rules
```bash
# Good — environment variables
curl -sS -H "Authorization: Bearer $API_TOKEN" "$API_URL/users"

# Good — .env file loaded
source .env
curl -sS -H "X-API-Key: $API_KEY" "$BASE_URL/data"

# Bad — hardcoded credentials
curl -sS -H "Authorization: Bearer sk-abc123real-token" https://api.example.com/users
```

## Anti-Patterns
- Missing -s in scripts (progress bar breaks output parsing)
- Hardcoded tokens and credentials
- One-line commands > 120 characters (unreadable)
- Using -k/--insecure in production (disables TLS verification)
- Missing Content-Type for POST/PUT requests
- Using -v in automated scripts (noisy output)

FAQ

Discussion

Loading comments...

# cURL Command Standards ## Rule All cURL commands in scripts MUST include -sS flags, explicit Content-Type headers for request bodies, and use environment variables for credentials. ## Required Flags for Scripts ```bash # ALWAYS use in automated scripts curl -sS \ # Silent + show errors --fail-with-body \ # Non-zero exit on HTTP errors --compressed \ # Accept compressed responses -H "Content-Type: application/json" \ # Explicit content type https://api.example.com/endpoint ``` ## Flag Meanings | Flag | Purpose | When to Use | |------|---------|-------------| | -s | Silent (no progress) | Always in scripts | | -S | Show errors even in silent mode | Always with -s | | -f | Fail on HTTP errors | CI/CD scripts | | --compressed | Accept gzip/deflate/br | Always | | -w | Format output | Response parsing | | -o | Output to file | Downloads | | -v | Verbose debug output | Interactive debugging only | ## Command Formatting ### Good — Readable, Multi-line ```bash curl -sS -X POST \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{"name": "Alice", "role": "admin"}' \ "https://api.example.com/users" ``` ### Bad — One-liner, Hardcoded Credentials ```bash curl -X POST -H "Authorization: Bearer sk-1234567890" -d '{"name":"Alice"}' https://api.example.com/users ``` ## Credential Rules ```bash # Good — environment variables curl -sS -H "Authorization: Bearer $API_TOKEN" "$API_URL/users" # Good — .env file loaded source .env curl -sS -H "X-API-Key: $API_KEY" "$BASE_URL/data" # Bad — hardcoded credentials curl -sS -H "Authorization: Bearer sk-abc123real-token" https://api.example.com/users ``` ## Anti-Patterns - Missing -s in scripts (progress bar breaks output parsing) - Hardcoded tokens and credentials - One-line commands > 120 characters (unreadable) - Using -k/--insecure in production (disables TLS verification) - Missing Content-Type for POST/PUT requests - Using -v in automated scripts (noisy output)