cURL Security Rules

Beginner

Security standards for cURL usage — credential management, TLS verification, header sanitization, and safe scripting practices to prevent token leaks and man-in-the-middle attacks.

File Patterns

**/*.sh**/*.bash**/.curlrc

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# cURL Security Rules

## Rule
All cURL usage MUST protect credentials, verify TLS, sanitize output, and never expose tokens in command history, logs, or error messages.

## Credential Protection

### Good — Environment Variables
```bash
# Credentials from environment
curl -sS -H "Authorization: Bearer $API_TOKEN" "$API_URL/users"
```

### Good — Config File
```bash
# .curlrc or -K flag
# config.curl (gitignored)
header = "Authorization: Bearer my-secret-token"
```

### Bad — Hardcoded in Command
```bash
# Token visible in shell history, process list, logs
curl -H "Authorization: Bearer sk-abc123" https://api.example.com/data
```

## TLS Rules
```bash
# NEVER in production scripts
curl -k https://api.example.com/data     # INSECURE: disables TLS verification

# Good — custom CA bundle
curl --cacert /path/to/ca-bundle.crt https://internal-api.example.com/data

# Good — pin certificate
curl --pinnedpubkey "sha256//hash==" https://api.example.com/data
```

## Output Sanitization
```bash
# Don't log full responses that might contain tokens
# Good — log status only
status=$(curl -sS -o /dev/null -w "%{http_code}" "$URL")
echo "Status: $status"

# Bad — log entire response (may contain tokens, PII)
response=$(curl -sS "$URL")
echo "$response" >> application.log
```

## Safe Scripting Patterns
```bash
# Use process substitution to avoid temp files with credentials
curl -sS -H "Authorization: Bearer $TOKEN" "$URL" | jq '.' > /dev/null

# Use stdin for passwords (not visible in process list)
curl -sS -u "user:$(cat /path/to/password-file)" "$URL"

# Clear variables after use
unset API_TOKEN
```

## Gitignore Rules
```gitignore
# Ignore files that may contain credentials
.curlrc
*.curl
cookies.txt
.netrc
```

## Anti-Patterns
- Hardcoded tokens in curl commands (visible in history)
- Using -k/--insecure in production (MITM vulnerability)
- Logging full responses containing tokens or PII
- Storing credentials in shell history (use HISTCONTROL=ignorespace)
- Cookie files left on disk after scripts complete
- Sending credentials over HTTP (not HTTPS)

FAQ

Discussion

Loading comments...

# cURL Security Rules ## Rule All cURL usage MUST protect credentials, verify TLS, sanitize output, and never expose tokens in command history, logs, or error messages. ## Credential Protection ### Good — Environment Variables ```bash # Credentials from environment curl -sS -H "Authorization: Bearer $API_TOKEN" "$API_URL/users" ``` ### Good — Config File ```bash # .curlrc or -K flag # config.curl (gitignored) header = "Authorization: Bearer my-secret-token" ``` ### Bad — Hardcoded in Command ```bash # Token visible in shell history, process list, logs curl -H "Authorization: Bearer sk-abc123" https://api.example.com/data ``` ## TLS Rules ```bash # NEVER in production scripts curl -k https://api.example.com/data # INSECURE: disables TLS verification # Good — custom CA bundle curl --cacert /path/to/ca-bundle.crt https://internal-api.example.com/data # Good — pin certificate curl --pinnedpubkey "sha256//hash==" https://api.example.com/data ``` ## Output Sanitization ```bash # Don't log full responses that might contain tokens # Good — log status only status=$(curl -sS -o /dev/null -w "%{http_code}" "$URL") echo "Status: $status" # Bad — log entire response (may contain tokens, PII) response=$(curl -sS "$URL") echo "$response" >> application.log ``` ## Safe Scripting Patterns ```bash # Use process substitution to avoid temp files with credentials curl -sS -H "Authorization: Bearer $TOKEN" "$URL" | jq '.' > /dev/null # Use stdin for passwords (not visible in process list) curl -sS -u "user:$(cat /path/to/password-file)" "$URL" # Clear variables after use unset API_TOKEN ``` ## Gitignore Rules ```gitignore # Ignore files that may contain credentials .curlrc *.curl cookies.txt .netrc ``` ## Anti-Patterns - Hardcoded tokens in curl commands (visible in history) - Using -k/--insecure in production (MITM vulnerability) - Logging full responses containing tokens or PII - Storing credentials in shell history (use HISTCONTROL=ignorespace) - Cookie files left on disk after scripts complete - Sending credentials over HTTP (not HTTPS)