Hacker News new | ask | show | jobs
by h43z 699 days ago
I've never seen this extra measure "curl --proto '=https' ..."
2 comments
guywald 699 days ago
Yep, this is auto-generated by cargo-dist (https://opensource.axo.dev/cargo-dist/book/)
link
ape4 699 days ago
Me neither - so I looked it up at https://curl.se/docs/manpage.html With the equals it means only allow the named protocols.
link
metadat 699 days ago
What would be allowed after SSL? By default, does curl allow redirects to http:// via -L?

If so.. that's kinda sketchy from a security perspective. Especially because the flag you've shown is very unwieldy.

link
dijit 699 days ago
curl will not follow any redirects without -L, including from http to https.

But -L is very useful, so being able to prevent downgrades has useful functionality to help restrict it.

link
metadat 699 days ago
This has nothing to do with what I'm attempting to discuss.
link