Is "curl -u username:password http://example.com" secure?

It is unsafe, because cURL defaults to basic authentication where HTTP protocol sends your password in clear text. When you specify the username:password string, it gets converted to a BASE64 string in the HTTP header:

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: text/html
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

Anyone able to intercept your HTTP traffic (your provider, anyone accessing the same wireless AP as you etc) will be able to recover the password by simply using an online BASE64 converter.

HTTPS protocol will make things better by establishing an encrypted connection before this header is sent, preventing the password from being revealed. However, this only applies if the user pays attention when asked to confirm unknown certificates, authorize security exceptions and so on.

Note that command arguments might be available for other users on the same machine to see, e.g. ps -ef, /proc filesystem, in you bash history, and in your terminal log (thanks for @Lambert's comment noting this). cURL on some platforms attempts to hide the password so for example with ps -ef you are likely to see blank space instead of a password. However, instead of passing the password as a command line argument, having cURL directly prompt for a password is better, as discussed on the cURL faq.


It is not secure. Command line parameters are visible to all users.


This could be done in a more safer way by using --netrc-file parameter.

  1. Create a file with 600 permission

For eg: vi /root/my-file

machine example.com

login USERNAME

password PASSWORD

Save and Close the file

  1. Use the below to access the URL with Username and Password.

curl --netrc-file /root/my-file http://example.com

  1. Done