Make curl default to HTTPS

When you run curl without giving a protocol in the URL (e.g., curl example.com/file), the request is made over plain-text HTTP.

The curl v7.45.0 release (10/2015) added an option to use HTTPS instead. You can make it the default protocol for bare domains like this:

$ curl -v tomayko.com 2>&1 | grep Connected
* Connected to tomayko.com (104.27.134.227) port 80 (#0)

# add the proto-default line to your curl config file
$ echo proto-default = https >> ~/.curlrc

$ curl -v tomayko.com 2>&1 | grep Connected
* Connected to tomayko.com (104.27.134.227) port 443 (#0)

In addition to the obvious benefit of preventing accidental plain-text requests in a world that’s increasingly HTTPS by default, this also avoids having to re-run commands with explicit https:// URLs (or with curl -L) after scratching your head when the first invocation gives no output.

It’s not all upside, though. If, like me, you use curl on servers to interact with daemon stats URLs like Nginx’s stub status module or Golang’s expvars, you’ll need to remember to use http:// URLs on the command line and in scripts. There’s no attempt to auto-downgrade requests to HTTP when SSL negotiation fails.