xref: /curl/docs/TheArtOfHttpScripting.md (revision dada880f)
1<!--
2Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
3
4SPDX-License-Identifier: curl
5-->
6
7# The Art Of Scripting HTTP Requests Using Curl
8
9## Background
10
11 This document assumes that you are familiar with HTML and general networking.
12
13 The increasing amount of applications moving to the web has made "HTTP
14 Scripting" more frequently requested and wanted. To be able to automatically
15 extract information from the web, to fake users, to post or upload data to
16 web servers are all important tasks today.
17
18 Curl is a command line tool for doing all sorts of URL manipulations and
19 transfers, but this particular document focuses on how to use it when doing
20 HTTP requests for fun and profit. This documents assumes that you know how to
21 invoke `curl --help` or `curl --manual` to get basic information about it.
22
23 Curl is not written to do everything for you. It makes the requests, it gets
24 the data, it sends data and it retrieves the information. You probably need
25 to glue everything together using some kind of script language or repeated
26 manual invokes.
27
28## The HTTP Protocol
29
30 HTTP is the protocol used to fetch data from web servers. It is a simple
31 protocol that is built upon TCP/IP. The protocol also allows information to
32 get sent to the server from the client using a few different methods, as is
33 shown here.
34
35 HTTP is plain ASCII text lines being sent by the client to a server to
36 request a particular action, and then the server replies a few text lines
37 before the actual requested content is sent to the client.
38
39 The client, curl, sends an HTTP request. The request contains a method (like
40 GET, POST, HEAD etc), a number of request headers and sometimes a request
41 body. The HTTP server responds with a status line (indicating if things went
42 well), response headers and most often also a response body. The "body" part
43 is the plain data you requested, like the actual HTML or the image etc.
44
45## See the Protocol
46
47 Using curl's option [`--verbose`](https://curl.se/docs/manpage.html#-v) (`-v`
48 as a short option) displays what kind of commands curl sends to the server,
49 as well as a few other informational texts.
50
51 `--verbose` is the single most useful option when it comes to debug or even
52 understand the curl<->server interaction.
53
54 Sometimes even `--verbose` is not enough. Then
55 [`--trace`](https://curl.se/docs/manpage.html#-trace) and
56 [`--trace-ascii`](https://curl.se/docs/manpage.html#--trace-ascii)
57 offer even more details as they show **everything** curl sends and
58 receives. Use it like this:
59
60    curl --trace-ascii debugdump.txt http://www.example.com/
61
62## See the Timing
63
64 Many times you may wonder what exactly is taking all the time, or you just
65 want to know the amount of milliseconds between two points in a transfer. For
66 those, and other similar situations, the
67 [`--trace-time`](https://curl.se/docs/manpage.html#--trace-time) option is
68 what you need. It prepends the time to each trace output line:
69
70    curl --trace-ascii d.txt --trace-time http://example.com/
71
72## See which Transfer
73
74 When doing parallel transfers, it is relevant to see which transfer is doing
75 what. When response headers are received (and logged) you need to know which
76 transfer these are for.
77 [`--trace-ids`](https://curl.se/docs/manpage.html#--trace-ids) option is what
78 you need. It prepends the transfer and connection identifier to each trace
79 output line:
80
81    curl --trace-ascii d.txt --trace-ids http://example.com/
82
83## See the Response
84
85 By default curl sends the response to stdout. You need to redirect it
86 somewhere to avoid that, most often that is done with `-o` or `-O`.
87
88# URL
89
90## Spec
91
92 The Uniform Resource Locator format is how you specify the address of a
93 particular resource on the Internet. You know these, you have seen URLs like
94 https://curl.se or https://example.com a million times. RFC 3986 is the
95 canonical spec. The formal name is not URL, it is **URI**.
96
97## Host
98
99 The hostname is usually resolved using DNS or your /etc/hosts file to an IP
100 address and that is what curl communicates with. Alternatively you specify
101 the IP address directly in the URL instead of a name.
102
103 For development and other trying out situations, you can point to a different
104 IP address for a hostname than what would otherwise be used, by using curl's
105 [`--resolve`](https://curl.se/docs/manpage.html#--resolve) option:
106
107    curl --resolve www.example.org:80:127.0.0.1 http://www.example.org/
108
109## Port number
110
111 Each protocol curl supports operates on a default port number, be it over TCP
112 or in some cases UDP. Normally you do not have to take that into
113 consideration, but at times you run test servers on other ports or
114 similar. Then you can specify the port number in the URL with a colon and a
115 number immediately following the hostname. Like when doing HTTP to port
116 1234:
117
118    curl http://www.example.org:1234/
119
120 The port number you specify in the URL is the number that the server uses to
121 offer its services. Sometimes you may use a proxy, and then you may
122 need to specify that proxy's port number separately from what curl needs to
123 connect to the server. Like when using an HTTP proxy on port 4321:
124
125    curl --proxy http://proxy.example.org:4321 http://remote.example.org/
126
127## Username and password
128
129 Some services are setup to require HTTP authentication and then you need to
130 provide name and password which is then transferred to the remote site in
131 various ways depending on the exact authentication protocol used.
132
133 You can opt to either insert the user and password in the URL or you can
134 provide them separately:
135
136    curl http://user:password@example.org/
137
138 or
139
140    curl -u user:password http://example.org/
141
142 You need to pay attention that this kind of HTTP authentication is not what
143 is usually done and requested by user-oriented websites these days. They tend
144 to use forms and cookies instead.
145
146## Path part
147
148 The path part is just sent off to the server to request that it sends back
149 the associated response. The path is what is to the right side of the slash
150 that follows the hostname and possibly port number.
151
152# Fetch a page
153
154## GET
155
156 The simplest and most common request/operation made using HTTP is to GET a
157 URL. The URL could itself refer to a webpage, an image or a file. The client
158 issues a GET request to the server and receives the document it asked for.
159 If you issue the command line
160
161    curl https://curl.se
162
163 you get a webpage returned in your terminal window. The entire HTML document
164 that that URL holds.
165
166 All HTTP replies contain a set of response headers that are normally hidden,
167 use curl's [`--include`](https://curl.se/docs/manpage.html#-i) (`-i`)
168 option to display them as well as the rest of the document.
169
170## HEAD
171
172 You can ask the remote server for ONLY the headers by using the
173 [`--head`](https://curl.se/docs/manpage.html#-I) (`-I`) option which makes
174 curl issue a HEAD request. In some special cases servers deny the HEAD method
175 while others still work, which is a particular kind of annoyance.
176
177 The HEAD method is defined and made so that the server returns the headers
178 exactly the way it would do for a GET, but without a body. It means that you
179 may see a `Content-Length:` in the response headers, but there must not be an
180 actual body in the HEAD response.
181
182## Multiple URLs in a single command line
183
184 A single curl command line may involve one or many URLs. The most common case
185 is probably to just use one, but you can specify any amount of URLs. Yes any.
186 No limits. You then get requests repeated over and over for all the given
187 URLs.
188
189 Example, send two GET requests:
190
191    curl http://url1.example.com http://url2.example.com
192
193 If you use [`--data`](https://curl.se/docs/manpage.html#-d) to POST to
194 the URL, using multiple URLs means that you send that same POST to all the
195 given URLs.
196
197 Example, send two POSTs:
198
199    curl --data name=curl http://url1.example.com http://url2.example.com
200
201
202## Multiple HTTP methods in a single command line
203
204 Sometimes you need to operate on several URLs in a single command line and do
205 different HTTP methods on each. For this, you might enjoy the
206 [`--next`](https://curl.se/docs/manpage.html#-:) option. It is basically a
207 separator that separates a bunch of options from the next. All the URLs
208 before `--next` get the same method and get all the POST data merged into
209 one.
210
211 When curl reaches the `--next` on the command line, it resets the method and
212 the POST data and allow a new set.
213
214 Perhaps this is best shown with a few examples. To send first a HEAD and then
215 a GET:
216
217    curl -I http://example.com --next http://example.com
218
219 To first send a POST and then a GET:
220
221    curl -d score=10 http://example.com/post.cgi --next http://example.com/results.html
222
223# HTML forms
224
225## Forms explained
226
227 Forms are the general way a website can present an HTML page with fields for
228 the user to enter data in, and then press some kind of 'OK' or 'Submit'
229 button to get that data sent to the server. The server then typically uses
230 the posted data to decide how to act. Like using the entered words to search
231 in a database, or to add the info in a bug tracking system, display the
232 entered address on a map or using the info as a login-prompt verifying that
233 the user is allowed to see what it is about to see.
234
235 Of course there has to be some kind of program on the server end to receive
236 the data you send. You cannot just invent something out of the air.
237
238## GET
239
240 A GET-form uses the method GET, as specified in HTML like:
241
242```html
243<form method="GET" action="junk.cgi">
244  <input type=text name="birthyear">
245  <input type=submit name=press value="OK">
246</form>
247```
248
249 In your favorite browser, this form appears with a text box to fill in and a
250 press-button labeled "OK". If you fill in '1905' and press the OK button,
251 your browser then creates a new URL to get for you. The URL gets
252 `junk.cgi?birthyear=1905&press=OK` appended to the path part of the previous
253 URL.
254
255 If the original form was seen on the page `www.example.com/when/birth.html`,
256 the second page you get becomes
257 `www.example.com/when/junk.cgi?birthyear=1905&press=OK`.
258
259 Most search engines work this way.
260
261 To make curl do the GET form post for you, just enter the expected created
262 URL:
263
264    curl "http://www.example.com/when/junk.cgi?birthyear=1905&press=OK"
265
266## POST
267
268 The GET method makes all input field names get displayed in the URL field of
269 your browser. That is generally a good thing when you want to be able to
270 bookmark that page with your given data, but it is an obvious disadvantage if
271 you entered secret information in one of the fields or if there are a large
272 amount of fields creating a long and unreadable URL.
273
274 The HTTP protocol then offers the POST method. This way the client sends the
275 data separated from the URL and thus you do not see any of it in the URL
276 address field.
277
278 The form would look similar to the previous one:
279
280```html
281<form method="POST" action="junk.cgi">
282  <input type=text name="birthyear">
283  <input type=submit name=press value=" OK ">
284</form>
285```
286
287 And to use curl to post this form with the same data filled in as before, we
288 could do it like:
289
290    curl --data "birthyear=1905&press=%20OK%20" http://www.example.com/when/junk.cgi
291
292 This kind of POST uses the Content-Type `application/x-www-form-urlencoded`
293 and is the most widely used POST kind.
294
295 The data you send to the server MUST already be properly encoded, curl does
296 not do that for you. For example, if you want the data to contain a space,
297 you need to replace that space with `%20`, etc. Failing to comply with this
298 most likely causes your data to be received wrongly and messed up.
299
300 Recent curl versions can in fact url-encode POST data for you, like this:
301
302    curl --data-urlencode "name=I am Daniel" http://www.example.com
303
304 If you repeat `--data` several times on the command line, curl concatenates
305 all the given data pieces - and put a `&` symbol between each data segment.
306
307## File Upload POST
308
309 Back in late 1995 they defined an additional way to post data over HTTP. It
310 is documented in the RFC 1867, why this method sometimes is referred to as
311 RFC 1867-posting.
312
313 This method is mainly designed to better support file uploads. A form that
314 allows a user to upload a file could be written like this in HTML:
315
316    <form method="POST" enctype='multipart/form-data' action="upload.cgi">
317      <input name=upload type=file>
318      <input type=submit name=press value="OK">
319    </form>
320
321 This clearly shows that the Content-Type about to be sent is
322 `multipart/form-data`.
323
324 To post to a form like this with curl, you enter a command line like:
325
326    curl --form upload=@localfilename --form press=OK [URL]
327
328## Hidden Fields
329
330 A common way for HTML based applications to pass state information between
331 pages is to add hidden fields to the forms. Hidden fields are already filled
332 in, they are not displayed to the user and they get passed along just as all
333 the other fields.
334
335 A similar example form with one visible field, one hidden field and one
336 submit button could look like:
337
338```html
339<form method="POST" action="foobar.cgi">
340  <input type=text name="birthyear">
341  <input type=hidden name="person" value="daniel">
342  <input type=submit name="press" value="OK">
343</form>
344```
345
346 To POST this with curl, you do not have to think about if the fields are
347 hidden or not. To curl they are all the same:
348
349    curl --data "birthyear=1905&press=OK&person=daniel" [URL]
350
351## Figure Out What A POST Looks Like
352
353 When you are about to fill in a form and send it to a server by using curl
354 instead of a browser, you are of course interested in sending a POST exactly
355 the way your browser does.
356
357 An easy way to get to see this, is to save the HTML page with the form on
358 your local disk, modify the 'method' to a GET, and press the submit button
359 (you could also change the action URL if you want to).
360
361 You then clearly see the data get appended to the URL, separated with a
362 `?`-letter as GET forms are supposed to.
363
364# HTTP upload
365
366## PUT
367
368 Perhaps the best way to upload data to an HTTP server is to use PUT. Then
369 again, this of course requires that someone put a program or script on the
370 server end that knows how to receive an HTTP PUT stream.
371
372 Put a file to an HTTP server with curl:
373
374    curl --upload-file uploadfile http://www.example.com/receive.cgi
375
376# HTTP Authentication
377
378## Basic Authentication
379
380 HTTP Authentication is the ability to tell the server your username and
381 password so that it can verify that you are allowed to do the request you are
382 doing. The Basic authentication used in HTTP (which is the type curl uses by
383 default) is **plain text** based, which means it sends username and password
384 only slightly obfuscated, but still fully readable by anyone that sniffs on
385 the network between you and the remote server.
386
387 To tell curl to use a user and password for authentication:
388
389    curl --user name:password http://www.example.com
390
391## Other Authentication
392
393 The site might require a different authentication method (check the headers
394 returned by the server), and then
395 [`--ntlm`](https://curl.se/docs/manpage.html#--ntlm),
396 [`--digest`](https://curl.se/docs/manpage.html#--digest),
397 [`--negotiate`](https://curl.se/docs/manpage.html#--negotiate) or even
398 [`--anyauth`](https://curl.se/docs/manpage.html#--anyauth) might be
399 options that suit you.
400
401## Proxy Authentication
402
403 Sometimes your HTTP access is only available through the use of an HTTP
404 proxy. This seems to be especially common at various companies. An HTTP proxy
405 may require its own user and password to allow the client to get through to
406 the Internet. To specify those with curl, run something like:
407
408    curl --proxy-user proxyuser:proxypassword curl.se
409
410 If your proxy requires the authentication to be done using the NTLM method,
411 use [`--proxy-ntlm`](https://curl.se/docs/manpage.html#--proxy-ntlm), if
412 it requires Digest use
413 [`--proxy-digest`](https://curl.se/docs/manpage.html#--proxy-digest).
414
415 If you use any one of these user+password options but leave out the password
416 part, curl prompts for the password interactively.
417
418## Hiding credentials
419
420 Do note that when a program is run, its parameters might be possible to see
421 when listing the running processes of the system. Thus, other users may be
422 able to watch your passwords if you pass them as plain command line
423 options. There are ways to circumvent this.
424
425 It is worth noting that while this is how HTTP Authentication works, many
426 websites do not use this concept when they provide logins etc. See the Web
427 Login chapter further below for more details on that.
428
429# More HTTP Headers
430
431## Referer
432
433 An HTTP request may include a 'referer' field (yes it is misspelled), which
434 can be used to tell from which URL the client got to this particular
435 resource. Some programs/scripts check the referer field of requests to verify
436 that this was not arriving from an external site or an unknown page. While
437 this is a stupid way to check something so easily forged, many scripts still
438 do it. Using curl, you can put anything you want in the referer-field and
439 thus more easily be able to fool the server into serving your request.
440
441 Use curl to set the referer field with:
442
443    curl --referer http://www.example.come http://www.example.com
444
445## User Agent
446
447 Similar to the referer field, all HTTP requests may set the User-Agent
448 field. It names what user agent (client) that is being used. Many
449 applications use this information to decide how to display pages. Silly web
450 programmers try to make different pages for users of different browsers to
451 make them look the best possible for their particular browsers. They usually
452 also do different kinds of JavaScript etc.
453
454 At times, you may learn that getting a page with curl does not return the
455 same page that you see when getting the page with your browser. Then you know
456 it is time to set the User Agent field to fool the server into thinking you
457 are one of those browsers.
458
459 By default, curl uses curl/VERSION, such as User-Agent: curl/8.11.0.
460
461 To make curl look like Internet Explorer 5 on a Windows 2000 box:
462
463    curl --user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" [URL]
464
465 Or why not look like you are using Netscape 4.73 on an old Linux box:
466
467    curl --user-agent "Mozilla/4.73 [en] (X11; U; Linux 2.2.15 i686)" [URL]
468
469## Redirects
470
471## Location header
472
473 When a resource is requested from a server, the reply from the server may
474 include a hint about where the browser should go next to find this page, or a
475 new page keeping newly generated output. The header that tells the browser to
476 redirect is `Location:`.
477
478 Curl does not follow `Location:` headers by default, but simply displays such
479 pages in the same manner it displays all HTTP replies. It does however
480 feature an option that makes it attempt to follow the `Location:` pointers.
481
482 To tell curl to follow a Location:
483
484    curl --location http://www.example.com
485
486 If you use curl to POST to a site that immediately redirects you to another
487 page, you can safely use [`--location`](https://curl.se/docs/manpage.html#-L)
488 (`-L`) and `--data`/`--form` together. Curl only uses POST in the first
489 request, and then revert to GET in the following operations.
490
491## Other redirects
492
493 Browsers typically support at least two other ways of redirects that curl
494 does not: first the html may contain a meta refresh tag that asks the browser
495 to load a specific URL after a set number of seconds, or it may use
496 JavaScript to do it.
497
498# Cookies
499
500## Cookie Basics
501
502 The way the web browsers do "client side state control" is by using
503 cookies. Cookies are just names with associated contents. The cookies are
504 sent to the client by the server. The server tells the client for what path
505 and hostname it wants the cookie sent back, and it also sends an expiration
506 date and a few more properties.
507
508 When a client communicates with a server with a name and path as previously
509 specified in a received cookie, the client sends back the cookies and their
510 contents to the server, unless of course they are expired.
511
512 Many applications and servers use this method to connect a series of requests
513 into a single logical session. To be able to use curl in such occasions, we
514 must be able to record and send back cookies the way the web application
515 expects them. The same way browsers deal with them.
516
517## Cookie options
518
519 The simplest way to send a few cookies to the server when getting a page with
520 curl is to add them on the command line like:
521
522    curl --cookie "name=Daniel" http://www.example.com
523
524 Cookies are sent as common HTTP headers. This is practical as it allows curl
525 to record cookies simply by recording headers. Record cookies with curl by
526 using the [`--dump-header`](https://curl.se/docs/manpage.html#-D) (`-D`)
527 option like:
528
529    curl --dump-header headers_and_cookies http://www.example.com
530
531 (Take note that the
532 [`--cookie-jar`](https://curl.se/docs/manpage.html#-c) option described
533 below is a better way to store cookies.)
534
535 Curl has a full blown cookie parsing engine built-in that comes in use if you
536 want to reconnect to a server and use cookies that were stored from a
537 previous connection (or hand-crafted manually to fool the server into
538 believing you had a previous connection). To use previously stored cookies,
539 you run curl like:
540
541    curl --cookie stored_cookies_in_file http://www.example.com
542
543 Curl's "cookie engine" gets enabled when you use the
544 [`--cookie`](https://curl.se/docs/manpage.html#-b) option. If you only
545 want curl to understand received cookies, use `--cookie` with a file that
546 does not exist. Example, if you want to let curl understand cookies from a
547 page and follow a location (and thus possibly send back cookies it received),
548 you can invoke it like:
549
550    curl --cookie nada --location http://www.example.com
551
552 Curl has the ability to read and write cookie files that use the same file
553 format that Netscape and Mozilla once used. It is a convenient way to share
554 cookies between scripts or invokes. The `--cookie` (`-b`) switch
555 automatically detects if a given file is such a cookie file and parses it,
556 and by using the `--cookie-jar` (`-c`) option you make curl write a new
557 cookie file at the end of an operation:
558
559    curl --cookie cookies.txt --cookie-jar newcookies.txt \
560      http://www.example.com
561
562# HTTPS
563
564## HTTPS is HTTP secure
565
566 There are a few ways to do secure HTTP transfers. By far the most common
567 protocol for doing this is what is generally known as HTTPS, HTTP over
568 SSL. SSL encrypts all the data that is sent and received over the network and
569 thus makes it harder for attackers to spy on sensitive information.
570
571 SSL (or TLS as the current version of the standard is called) offers a set of
572 advanced features to do secure transfers over HTTP.
573
574 Curl supports encrypted fetches when built to use a TLS library and it can be
575 built to use one out of a fairly large set of libraries - `curl -V` shows
576 which one your curl was built to use (if any). To get a page from an HTTPS
577 server, simply run curl like:
578
579    curl https://secure.example.com
580
581## Certificates
582
583 In the HTTPS world, you use certificates to validate that you are the one you
584 claim to be, as an addition to normal passwords. Curl supports client- side
585 certificates. All certificates are locked with a passphrase, which you need
586 to enter before the certificate can be used by curl. The passphrase can be
587 specified on the command line or if not, entered interactively when curl
588 queries for it. Use a certificate with curl on an HTTPS server like:
589
590    curl --cert mycert.pem https://secure.example.com
591
592 curl also tries to verify that the server is who it claims to be, by
593 verifying the server's certificate against a locally stored CA cert bundle.
594 Failing the verification causes curl to deny the connection. You must then
595 use [`--insecure`](https://curl.se/docs/manpage.html#-k) (`-k`) in case you
596 want to tell curl to ignore that the server cannot be verified.
597
598 More about server certificate verification and ca cert bundles can be read in
599 the [`SSLCERTS` document](https://curl.se/docs/sslcerts.html).
600
601 At times you may end up with your own CA cert store and then you can tell
602 curl to use that to verify the server's certificate:
603
604    curl --cacert ca-bundle.pem https://example.com/
605
606# Custom Request Elements
607
608## Modify method and headers
609
610 Doing fancy stuff, you may need to add or change elements of a single curl
611 request.
612
613 For example, you can change the POST method to `PROPFIND` and send the data
614 as `Content-Type: text/xml` (instead of the default `Content-Type`) like
615 this:
616
617    curl --data "<xml>" --header "Content-Type: text/xml" \
618      --request PROPFIND example.com
619
620 You can delete a default header by providing one without content. Like you
621 can ruin the request by chopping off the `Host:` header:
622
623    curl --header "Host:" http://www.example.com
624
625 You can add headers the same way. Your server may want a `Destination:`
626 header, and you can add it:
627
628    curl --header "Destination: http://nowhere" http://example.com
629
630## More on changed methods
631
632 It should be noted that curl selects which methods to use on its own
633 depending on what action to ask for. `-d` makes a POST, `-I` makes a HEAD and
634 so on. If you use the [`--request`](https://curl.se/docs/manpage.html#-X) /
635 `-X` option you can change the method keyword curl selects, but you do not
636 modify curl's behavior. This means that if you for example use -d "data" to
637 do a POST, you can modify the method to a `PROPFIND` with `-X` and curl still
638 thinks it sends a POST. You can change the normal GET to a POST method by
639 simply adding `-X POST` in a command line like:
640
641    curl -X POST http://example.org/
642
643 curl however still acts as if it sent a GET so it does not send any request
644 body etc.
645
646# Web Login
647
648## Some login tricks
649
650 While not strictly just HTTP related, it still causes a lot of people
651 problems so here's the executive run-down of how the vast majority of all
652 login forms work and how to login to them using curl.
653
654 It can also be noted that to do this properly in an automated fashion, you
655 most certainly need to script things and do multiple curl invokes etc.
656
657 First, servers mostly use cookies to track the logged-in status of the
658 client, so you need to capture the cookies you receive in the responses.
659 Then, many sites also set a special cookie on the login page (to make sure
660 you got there through their login page) so you should make a habit of first
661 getting the login-form page to capture the cookies set there.
662
663 Some web-based login systems feature various amounts of JavaScript, and
664 sometimes they use such code to set or modify cookie contents. Possibly they
665 do that to prevent programmed logins, like this manual describes how to...
666 Anyway, if reading the code is not enough to let you repeat the behavior
667 manually, capturing the HTTP requests done by your browsers and analyzing the
668 sent cookies is usually a working method to work out how to shortcut the
669 JavaScript need.
670
671 In the actual `<form>` tag for the login, lots of sites fill-in
672 random/session or otherwise secretly generated hidden tags and you may need
673 to first capture the HTML code for the login form and extract all the hidden
674 fields to be able to do a proper login POST. Remember that the contents need
675 to be URL encoded when sent in a normal POST.
676
677# Debug
678
679## Some debug tricks
680
681 Many times when you run curl on a site, you notice that the site does not
682 seem to respond the same way to your curl requests as it does to your
683 browser's.
684
685 Then you need to start making your curl requests more similar to your
686 browser's requests:
687
688 - Use the `--trace-ascii` option to store fully detailed logs of the requests
689   for easier analyzing and better understanding
690
691 - Make sure you check for and use cookies when needed (both reading with
692   `--cookie` and writing with `--cookie-jar`)
693
694 - Set user-agent (with [`-A`](https://curl.se/docs/manpage.html#-A)) to
695   one like a recent popular browser does
696
697 - Set referer (with [`-E`](https://curl.se/docs/manpage.html#-E)) like
698   it is set by the browser
699
700 - If you use POST, make sure you send all the fields and in the same order as
701   the browser does it.
702
703## Check what the browsers do
704
705 A good helper to make sure you do this right, is the web browsers' developers
706 tools that let you view all headers you send and receive (even when using
707 HTTPS).
708
709 A more raw approach is to capture the HTTP traffic on the network with tools
710 such as Wireshark or tcpdump and check what headers that were sent and
711 received by the browser. (HTTPS forces you to use `SSLKEYLOGFILE` to do
712 that.)
713