Command builder

curl command builder

For the things you only do occasionally — check response headers, follow redirects, debug CORS, test caching. Pick a recipe, tweak, copy. Quoting is correct for your shell.

Recipe:

Response & inspection

Show

Follow redirects -L Silent -s Verbose -v Accept gzip/br --compressed

Write-out summary

Headers & identity

Custom headers

User-Agent -A

Referer -e

Authentication

Type

Request body

Body

CORS preflight

Build a preflight OPTIONS request

Caching / conditional

Bypass cache Cache-Control: no-cache

If-None-Match (ETag)

If-Modified-Since

TLS & connection

Skip TLS verify -k

HTTP version

Resolve host to a specific IP --resolve (test a CDN edge / staging server)

Host

Port

Connect timeout (s)

Max time (s)

Max redirects (with -L)

The recipes, explained

Headers only — -I: Sends a HEAD request and prints just the response headers. The classic confusion: -I = headers only; -i = headers plus body. Don't use -X HEAD — it can hang waiting for a body that never comes.
Trace redirects — -sIL: Follows the redirect chain (-L) and prints each hop's headers (-I), quietly (-s). The fastest way to see where a URL really ends up and with which status codes. Note: by default curl does not follow redirects.
Test CORS — preflight OPTIONS: Browsers send a preflight before certain cross-origin requests. This reproduces it: an OPTIONS request carrying Origin, Access-Control-Request-Method and Access-Control-Request-Headers. Read the response's Access-Control-Allow-* headers to see what the server permits.
Test caching — conditional request: Send the ETag you got back as If-None-Match (or a date as If-Modified-Since). A 304 Not Modified confirms caching/revalidation works. Inspect Cache-Control, Expires, Age and CDN headers like X-Cache / CF-Cache-Status in the headers-only view.
POST JSON — -d + Content-Type: The #1 mistake is forgetting Content-Type: application/json, so this recipe adds it automatically. -d already implies POST, so no separate -X POST is emitted.
Timing breakdown — -w: Prints DNS, connect, TLS, time-to-first-byte and total times — for answering "why is this slow?" without a profiler.

Why the shell toggle?

bash/zsh wrap strings in single quotes, so JSON like {"a":1} pastes cleanly. Windows shells don't: CMD has no single-quote string, so quotes must be doubled and inner ones escaped; PowerShell aliases curl to a different command, so the binary is written as curl.exe, and the null device is NUL not /dev/null. Pick your shell and the command is rewritten to paste correctly.

Two security notes

-k (skip TLS verification) defeats the point of HTTPS — use it only against known staging/self-signed hosts, never in scripts that touch real data. On a redirect to a different host, curl drops the Authorization header on purpose so your token can't leak to another origin.

Sources & references

everything.curl.dev — the curl bookcurl project
curl man pagecurl.se
Cross-Origin Resource Sharing (CORS)MDN
HTTP cachingMDN