curl -k / --insecure: Skip TLS Verification (Avoid It)
-k silences TLS errors by turning off verification, which also turns off security.
It is tempting to add -k when curl complains about a certificate, but it disables the protection TLS provides. Almost always there is a proper fix.
What it does
-k / --insecure tells curl to proceed even when the server certificate cannot be verified: expired, self-signed, wrong hostname, or untrusted CA. The connection is still encrypted, but you lose the guarantee that you are talking to the right server, which exposes you to man-in-the-middle attacks. It treats a verification failure as success.
Common usage
# The fix, not -k: trust the CA explicitly
curl --cacert /etc/ssl/certs/internal-ca.pem https://internal.example.com/x
# Only as a last resort in a trusted, throwaway context:
curl -k https://localhost:8443/healthFlags
| Flag | What it does |
|---|---|
| -k / --insecure | Skip certificate verification (unsafe) |
| --cacert <file> | Trust a specific CA bundle (the proper fix) |
| --capath <dir> | Use a directory of trusted CA certs |
| --cert / --key | Present a client certificate for mutual TLS |
In CI
Do not reach for -k to paper over a cert error in a pipeline. The right fixes are: add the internal CA with --cacert, install it into the runner trust store, or fix the hostname mismatch. If you must use -k for a local self-signed service, scope it to that one call and never to external hosts.
Common errors in CI
curl: (60) SSL certificate problem: unable to get local issuer certificate means curl does not trust the CA; supply it with --cacert instead of -k. curl: (60) ... certificate has expired means the server cert is expired; renew it rather than disabling verification.