curl/docs/cmdline-opts/insecure.md

---
c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
Long: insecure
Short: k
Help: Allow insecure server connections
Protocols: TLS SFTP SCP
Category: tls sftp scp
Added: 7.10
Multi: boolean
See-also:
  - proxy-insecure
  - cacert
  - capath
Example:
  - --insecure $URL
---

# `--insecure`

By default, every secure connection curl makes is verified to be secure before
the transfer takes place. This option makes curl skip the verification step
and proceed without checking.

When this option is not used for protocols using TLS, curl verifies the
server's TLS certificate before it continues: that the certificate contains
the right name which matches the hostname used in the URL and that the
certificate has been signed by a CA certificate present in the cert store. See
this online resource for further details:
**https://curl.se/docs/sslcerts.html**

For SFTP and SCP, this option makes curl skip the *known_hosts* verification.
*known_hosts* is a file normally stored in the user's home directory in the
".ssh" subdirectory, which contains hostnames and their public keys.

**WARNING**: using this option makes the transfer insecure.

When curl uses secure protocols it trusts responses and allows for example
HSTS and Alt-Svc information to be stored and used subsequently. Using
--insecure can make curl trust and use such information from malicious
servers.
docs/cmdline: change to .md for cmdline docs - switch all invidual files documenting command line options into .md, as the documentation is now markdown-looking. - made the parser treat 4-space indents as quotes - switch to building the curl.1 manpage using the "mainpage.idx" file, which lists the files to include to generate it, instead of using the previous page-footer/headers. Also, those files are now also .md ones, using the same format. I gave them underscore prefixes to make them sort separately: _NAME.md, _SYNOPSIS.md, _DESCRIPTION.md, _URL.md, _GLOBBING.md, _VARIABLES.md, _OUTPUT.md, _PROTOCOLS.md, _PROGRESS.md, _VERSION.md, _OPTIONS.md, _FILES.md, _ENVIRONMENT.md, _PROXYPREFIX.md, _EXITCODES.md, _BUGS.md, _AUTHORS.md, _WWW.md, _SEEALSO.md - updated test cases accordingly Closes #12751 2024-01-21 06:18:43 +08:00			`---`
copyright: update all copyright lines and remove year ranges - they are mostly pointless in all major jurisdictions - many big corporations and projects already don't use them - saves us from pointless churn - git keeps history for us - the year range is kept in COPYING checksrc is updated to allow non-year using copyright statements Closes #10205 2023-01-02 20:51:48 +08:00			`c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.`
docs/cmdline-opts: add copyright and license identifier to each file gen.pl now insists on C: and SPDX-License-Identifier: fields to be present in all files. Closes #9002 2022-06-14 06:12:03 +08:00			`SPDX-License-Identifier: curl`
cmdline-docs: more options converted over 2016-11-16 06:44:58 +08:00			`Long: insecure`
			`Short: k`
insecure.d: detail its use for SFTP and SCP as well Closes #8056 2021-11-25 20:17:49 +08:00			`Help: Allow insecure server connections`
			`Protocols: TLS SFTP SCP`
			`Category: tls sftp scp`
cmdline-opts: made the 'Added:' field mandatory Since "too old" versions are no longer included in the generated man page, this field is now mandatory so that it won't be forgotten and then not included in the documentation. Closes #7786 2021-09-28 17:50:07 +08:00			`Added: 7.10`
cmdline/docs: add a required 'multi' keyword for each option The keyword specifies how option works when specified multiple times: - single: the last provided value replaces the earlier ones - append: it supports being provided multiple times - boolean: on/off values - mutex: flag-like option that disable anoter flag The 'gen.pl' script then outputs the proper and unified language for each option's multi-use behavior in the generated man page. The multi: header is requires in each .d file and will cause build error if missing or set to an unknown value. Closes #9759 2022-10-18 16:39:43 +08:00			`Multi: boolean`
docs/cmdline: change to .md for cmdline docs - switch all invidual files documenting command line options into .md, as the documentation is now markdown-looking. - made the parser treat 4-space indents as quotes - switch to building the curl.1 manpage using the "mainpage.idx" file, which lists the files to include to generate it, instead of using the previous page-footer/headers. Also, those files are now also .md ones, using the same format. I gave them underscore prefixes to make them sort separately: _NAME.md, _SYNOPSIS.md, _DESCRIPTION.md, _URL.md, _GLOBBING.md, _VARIABLES.md, _OUTPUT.md, _PROTOCOLS.md, _PROGRESS.md, _VERSION.md, _OPTIONS.md, _FILES.md, _ENVIRONMENT.md, _PROXYPREFIX.md, _EXITCODES.md, _BUGS.md, _AUTHORS.md, _WWW.md, _SEEALSO.md - updated test cases accordingly Closes #12751 2024-01-21 06:18:43 +08:00			`See-also:`
			`- proxy-insecure`
			`- cacert`
			`- capath`
			`Example:`
			`- --insecure $URL`
cmdline-docs: more options converted over 2016-11-16 06:44:58 +08:00			`---`
docs/cmdline: change to .md for cmdline docs - switch all invidual files documenting command line options into .md, as the documentation is now markdown-looking. - made the parser treat 4-space indents as quotes - switch to building the curl.1 manpage using the "mainpage.idx" file, which lists the files to include to generate it, instead of using the previous page-footer/headers. Also, those files are now also .md ones, using the same format. I gave them underscore prefixes to make them sort separately: _NAME.md, _SYNOPSIS.md, _DESCRIPTION.md, _URL.md, _GLOBBING.md, _VARIABLES.md, _OUTPUT.md, _PROTOCOLS.md, _PROGRESS.md, _VERSION.md, _OPTIONS.md, _FILES.md, _ENVIRONMENT.md, _PROXYPREFIX.md, _EXITCODES.md, _BUGS.md, _AUTHORS.md, _WWW.md, _SEEALSO.md - updated test cases accordingly Closes #12751 2024-01-21 06:18:43 +08:00
			# `--insecure`

insecure.d: detail its use for SFTP and SCP as well Closes #8056 2021-11-25 20:17:49 +08:00			`By default, every secure connection curl makes is verified to be secure before`
			`the transfer takes place. This option makes curl skip the verification step`
			`and proceed without checking.`
cmdline-docs: more options converted over 2016-11-16 06:44:58 +08:00
insecure.d: detail its use for SFTP and SCP as well Closes #8056 2021-11-25 20:17:49 +08:00			`When this option is not used for protocols using TLS, curl verifies the`
			`server's TLS certificate before it continues: that the certificate contains`
docs: more language cleanups - present tense - avoid bad words Closes #13003 2024-02-27 17:35:28 +08:00			`the right name which matches the hostname used in the URL and that the`
			`certificate has been signed by a CA certificate present in the cert store. See`
			`this online resource for further details:`
docs/cmdline: change to .md for cmdline docs - switch all invidual files documenting command line options into .md, as the documentation is now markdown-looking. - made the parser treat 4-space indents as quotes - switch to building the curl.1 manpage using the "mainpage.idx" file, which lists the files to include to generate it, instead of using the previous page-footer/headers. Also, those files are now also .md ones, using the same format. I gave them underscore prefixes to make them sort separately: _NAME.md, _SYNOPSIS.md, _DESCRIPTION.md, _URL.md, _GLOBBING.md, _VARIABLES.md, _OUTPUT.md, _PROTOCOLS.md, _PROGRESS.md, _VERSION.md, _OPTIONS.md, _FILES.md, _ENVIRONMENT.md, _PROXYPREFIX.md, _EXITCODES.md, _BUGS.md, _AUTHORS.md, _WWW.md, _SEEALSO.md - updated test cases accordingly Closes #12751 2024-01-21 06:18:43 +08:00			`https://curl.se/docs/sslcerts.html`
curl.1: provide examples for each option The file format for each option now features a "Example:" header that can provide one or more examples that get rendered appropriately in the output. All options MUST have at least one example or gen.pl complains at build-time. This fix also does a few other minor format and consistency cleanups. Closes #7654 2021-08-31 22:37:14 +08:00
insecure.d: detail its use for SFTP and SCP as well Closes #8056 2021-11-25 20:17:49 +08:00			`For SFTP and SCP, this option makes curl skip the known_hosts verification.`
			`known_hosts is a file normally stored in the user's home directory in the`
docs: more language cleanups - present tense - avoid bad words Closes #13003 2024-02-27 17:35:28 +08:00			`".ssh" subdirectory, which contains hostnames and their public keys.`
insecure.d: detail its use for SFTP and SCP as well Closes #8056 2021-11-25 20:17:49 +08:00
insecure.d: expand and clarify Closes #8017 2021-11-15 22:07:01 +08:00			`WARNING: using this option makes the transfer insecure.`
docs: mention indirect effects of --insecure Warn users that disabling certficate verification allows servers to "pollute" curl with data it trusts. Reported-by: Harry Sintonen Closes #10126 2022-12-22 06:36:57 +08:00
			`When curl uses secure protocols it trusts responses and allows for example`
			`HSTS and Alt-Svc information to be stored and used subsequently. Using`
			`--insecure can make curl trust and use such information from malicious`
			`servers.`