curlwtfcurlwtf

Flag guide

What does curl -k mean?

Security warning

Using -k in production exposes you to man-in-the-middle attacks. Never use it against public APIs or in automated scripts that run against real infrastructure.

curl -k (long form: --insecure) disables SSL/TLS certificate verification. By default curl checks the server certificate is signed by a trusted CA and hasn't expired. -k skips all of that.

When is -k acceptable?

  • Local development against a server with a self-signed certificate
  • Quick one-off testing in an isolated environment
  • Debugging a certificate problem (to confirm the issue is cert-related)

Safer alternatives

--cacert ca.crtTrust a specific CA certificate file instead of skipping verification entirely.
mkcertGenerate a locally-trusted certificate for localhost. Installs the CA in your system store — no -k needed.
Fix the server certUse a free cert from Let's Encrypt. Zero reason to ship with an invalid cert.

Paste any curl with -k into curlwtf.com — it will flag the insecure flag as a security warning automatically.

curlwtf

A one-shot translator from curl to plain English, idiomatic code, and shareable links.

Free tier
  • 1 explanation/day (anon)
  • 3 explanations/day (account)
  • All output sections
  • Public shareable links
Pro ($7/mo)
  • Unlimited explanations
  • GPT-4o (faster, smarter)
  • Explanation history
  • Private links
Search-friendly
© 2026 curlwtf