Skip to content
Latchkey

curl -k / --insecure: Skip TLS Verification (Avoid It)

-k silences TLS errors by turning off verification, which also turns off security.

It is tempting to add -k when curl complains about a certificate, but it disables the protection TLS provides. Almost always there is a proper fix.

What it does

-k / --insecure tells curl to proceed even when the server certificate cannot be verified: expired, self-signed, wrong hostname, or untrusted CA. The connection is still encrypted, but you lose the guarantee that you are talking to the right server, which exposes you to man-in-the-middle attacks. It treats a verification failure as success.

Common usage

Terminal
# The fix, not -k: trust the CA explicitly
curl --cacert /etc/ssl/certs/internal-ca.pem https://internal.example.com/x
# Only as a last resort in a trusted, throwaway context:
curl -k https://localhost:8443/health

Flags

FlagWhat it does
-k / --insecureSkip certificate verification (unsafe)
--cacert <file>Trust a specific CA bundle (the proper fix)
--capath <dir>Use a directory of trusted CA certs
--cert / --keyPresent a client certificate for mutual TLS

In CI

Do not reach for -k to paper over a cert error in a pipeline. The right fixes are: add the internal CA with --cacert, install it into the runner trust store, or fix the hostname mismatch. If you must use -k for a local self-signed service, scope it to that one call and never to external hosts.

Common errors in CI

curl: (60) SSL certificate problem: unable to get local issuer certificate means curl does not trust the CA; supply it with --cacert instead of -k. curl: (60) ... certificate has expired means the server cert is expired; renew it rather than disabling verification.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →