docs: switch more URLs to https://

Normalize using https:// almost everywhere instead of http:// Closes #19872
2026-04-14 18:11:40 +03:00 · 2025-12-08 11:11:02 +01:00 · 2025-12-08 11:11:02 +01:00 · ab9beda1b3
commit ab9beda1b3
parent a1c01b2015
14 changed files with 99 additions and 97 deletions
--- a/.github/scripts/codespell-ignore.words
+++ b/.github/scripts/codespell-ignore.words
@ -7,7 +7,7 @@ bu
 clen
 CNA
 hel
-htpt
+htpts
 inout
 PASE
 passwor
--- a/.github/scripts/typos.toml
+++ b/.github/scripts/typos.toml
@ -6,7 +6,7 @@
 extend-ignore-identifiers-re = [
  "^(ba|fo|pn|PN|UE)$",
  "^(CNA|ser)$",
-  "^(ECT0|ECT1|HELO|htpt|PASE)$",
+  "^(ECT0|ECT1|HELO|htpts|PASE)$",
  "^[A-Za-z0-9_-]*(EDE|GOST)[A-Z0-9_-]*$",  # ciphers
  "^0x[0-9a-fA-F]+FUL$",  # unsigned long hex literals ending with 'F'
  "^(eyeballers|HELO_smtp|Januar|optin|passin|perfec|SMTP_HELO)$",
--- a/docs/FAQ
+++ b/docs/FAQ
@ -533,7 +533,7 @@ FAQ
  that informs the client about this is only interpreted if you are using the
  -L/--location option. As in:

-     curl -L http://example.com
+     curl -L https://example.com

  Not all redirects are HTTP ones, see 4.14

@ -719,13 +719,13 @@ FAQ
  Set a custom Host: header that identifies the server name you want to reach
  but use the target IP address in the URL:

-    curl --header "Host: www.example.com" http://127.0.0.1/
+    curl --header "Host: www.example.com" https://somewhere.example/

  You can also opt to add faked hostname entries to curl with the --resolve
  option. That has the added benefit that things like redirects will also work
  properly. The above operation would instead be done as:

-    curl --resolve www.example.com:80:127.0.0.1 http://www.example.com/
+    curl --resolve www.example.com:80:127.0.0.1 https://www.example.com/

  3.20 How to SFTP from my user's home directory?

@ -753,8 +753,8 @@ FAQ
  be disabled or not supported.

  Note that this error will also occur if you pass a wrongly spelled protocol
-  part as in "htpt://example.com" or as in the less evident case if you prefix
-  the protocol part with a space as in " http://example.com/".
+  part as in "htpts://example.com" or as in the less evident case if you
+  prefix the protocol part with a space as in " https://example.com/".

  3.22 curl -X gives me HTTP problems

@ -762,7 +762,7 @@ FAQ

  By default you use curl without explicitly saying which request method to
  use when the URL identifies an HTTP transfer. If you just pass in a URL like
-  "curl http://example.com" it will use GET. If you use -d or -F curl will use
+  "curl https://example.com" it will use GET. If you use -d or -F curl will use
  POST, -I will cause a HEAD and -T will make it a PUT.

  If for whatever reason you are not happy with these default choices that curl
@ -796,7 +796,7 @@ FAQ

  An example that would invoke a remote CGI that uses &-symbols could be:

-     curl 'http://www.example.com/cgi-bin/query?text=yes&q=curl'
+     curl 'https://www.example.com/cgi-bin/query?text=yes&q=curl'

  In Windows, the standard DOS shell treats the percent sign specially and you
  need to use TWO percent signs for each single one you want to use in the
@ -865,7 +865,7 @@ FAQ
    If you get this return code and an HTML output similar to this:

       <H1>Moved Permanently</H1> The document has moved <A
-       HREF="http://same_url_now_with_a_trailing_slash/">here</A>.
+       HREF="https://same_url_now_with_a_trailing_slash.example/">here</A>.

    it might be because you requested a directory URL but without the trailing
    slash. Try the same operation again _with_ the trailing URL, or use the
--- a/docs/MANUAL.md
+++ b/docs/MANUAL.md
@ -34,7 +34,7 @@ Get the definition of curl from a dictionary:

 Fetch two documents at once:

-    curl ftp://ftp.example.com/ http://www.example.com:8000/
+    curl ftp://ftp.example.com/ https://www.example.com:8000/

 Get a file off an FTPS server:

@ -71,12 +71,12 @@ Get a file from an SMB server:

 Get a webpage and store in a local file with a specific name:

-    curl -o thatpage.html http://www.example.com/
+    curl -o thatpage.html https://www.example.com/

 Get a webpage and store in a local file, make the local file get the name of
 the remote document (if no filename part is specified in the URL, this fails):

-    curl -O http://www.example.com/index.html
+    curl -O https://www.example.com/index.html

 Fetch two files and store them with their remote names:

@ -115,14 +115,14 @@ matching public key file must be specified using the `--pubkey` option.

 ### HTTP

-curl also supports user and password in HTTP URLs, thus you can pick a file
+curl also supports user and password in HTTP(S) URLs. You can download a file
 like:

-    curl http://name:passwd@http.server.example/full/path/to/file
+    curl https://name:passwd@http.server.example/full/path/to/file

 or specify user and password separately like in

-    curl -u name:passwd http://http.server.example/full/path/to/file
+    curl -u name:passwd https://http.server.example/full/path/to/file

 HTTP offers many different methods of authentication and curl supports
 several: Basic, Digest, NTLM and Negotiate (SPNEGO). Without telling which
@ -151,19 +151,19 @@ Get an ftp file using an HTTP proxy named my-proxy that uses port 888:

    curl -x my-proxy:888 ftp://ftp.example.com/README

-Get a file from an HTTP server that requires user and password, using the
+Get a file from an HTTPS server that requires user and password, using the
 same proxy as above:

-    curl -u user:passwd -x my-proxy:888 http://www.example.com/
+    curl -u user:passwd -x my-proxy:888 https://www.example.com/

 Some proxies require special authentication. Specify by using -U as above:

-    curl -U user:passwd -x my-proxy:888 http://www.example.com/
+    curl -U user:passwd -x my-proxy:888 https://www.example.com/

 A comma-separated list of hosts and domains which do not use the proxy can be
 specified as:

-    curl --noproxy example.com -x my-proxy:888 http://www.example.com/
+    curl --noproxy example.com -x my-proxy:888 https://www.example.com/

 If the proxy is specified with `--proxy1.0` instead of `--proxy` or `-x`, then
 curl uses HTTP/1.0 instead of HTTP/1.1 for any `CONNECT` attempts.
@ -204,11 +204,11 @@ one or more sub-parts of a specified document. curl supports this with the

 Get the first 100 bytes of a document:

-    curl -r 0-99 http://www.example.com/
+    curl -r 0-99 https://www.example.com/

 Get the last 500 bytes of a document:

-    curl -r -500 http://www.example.com/
+    curl -r -500 https://www.example.com/

 curl also supports simple ranges for FTP files as well. Then you can only
 specify start and stop position.
@ -251,9 +251,9 @@ fashion similar to:

 ### HTTP

-Upload all data on stdin to a specified HTTP site:
+Upload all data on stdin to a specified HTTPS site:

-    curl -T - http://www.example.com/myfile
+    curl -T - https://www.example.com/myfile

 Note that the HTTP server must have been configured to accept PUT before this
 can be done successfully.
@ -305,12 +305,12 @@ The post data must be urlencoded.

 Post a simple `name` and `phone` guestbook.

-    curl -d "name=Rafael%20Sagula&phone=3320780" http://www.example.com/guest.cgi
+    curl -d "name=Rafael%20Sagula&phone=3320780" https://www.example.com/guest.cgi

 Or automatically [URL encode the data](https://everything.curl.dev/http/post/url-encode).

    curl --data-urlencode "name=Rafael Sagula&phone=3320780"
-      http://www.example.com/guest.cgi
+      https://www.example.com/guest.cgi

 How to post a form with curl, lesson #1:

@ -329,7 +329,7 @@ of the letter's ASCII code.

 Example:

-(say if `http://example.com` had the following html)
+(say if `https://example.com` had the following html)

 ```html
 <form action="post.cgi" method="post">
@ -345,7 +345,7 @@ We want to enter user `foobar` with password `12345`.
 To post to this, you would enter a curl command line like:

    curl -d "user=foobar&pass=12345&id=blablabla&ding=submit"
-      http://example.com/post.cgi
+      https://example.com/post.cgi

 While `-d` uses the application/x-www-form-urlencoded mime-type, generally
 understood by CGI's and similar, curl also supports the more capable
@ -359,7 +359,7 @@ example, the field name `coolfiles` is used to send three files, with
 different content types using the following syntax:

    curl -F "coolfiles=@fil1.gif;type=image/gif,fil2.txt,fil3.html"
-      http://www.example.com/postit.cgi
+      https://www.example.com/postit.cgi

 If the content-type is not specified, curl tries to guess from the file
 extension (it only knows a few), or use the previously specified type (from an
@ -376,7 +376,7 @@ the names of the input fields. In our example, the input field names are

    curl -F "file=@cooltext.txt" -F "yourname=Daniel"
      -F "filedescription=Cool text file with cool text inside"
-      http://www.example.com/postit.cgi
+      https://www.example.com/postit.cgi

 To send two files in one post you can do it in two ways:

@ -402,7 +402,7 @@ used on the command line. It is especially useful to fool or trick stupid
 servers or CGI scripts that rely on that information being available or
 contain certain data.

-    curl -e www.example.org http://www.example.com/
+    curl -e www.example.org https://www.example.com/

 ## User Agent

@ -413,7 +413,7 @@ accept certain browsers.

 Example:

-    curl -A 'Mozilla/3.0 (Win95; I)' http://www.bank.example.com/
+    curl -A 'Mozilla/3.0 (Win95; I)' https://www.bank.example.com/

 Other common strings:

@ -596,14 +596,14 @@ Force curl to get and display a local help page in case it is invoked without
 URL by making a config file similar to:

    # default url to get
-    url = "http://help.with.curl.example.com/curlhelp.html"
+    url = "https://help.with.curl.example.com/curlhelp.html"

 You can specify another config file to be read by using the `-K`/`--config`
 flag. If you set config filename to `-` it reads the config from stdin, which
 can be handy if you want to hide options from being visible in process tables
 etc:

-    echo "user = user:passwd" | curl -K - http://that.secret.example.com
+    echo "user = user:passwd" | curl -K - https://that.secret.example.com

 ## Extra Headers

@ -685,11 +685,11 @@ Download with `PORT` but use 192.168.0.10 as our IP address to use:

 Get a webpage from a server using a specified port for the interface:

-    curl --interface eth0:1 http://www.example.com/
+    curl --interface eth0:1 https://www.example.com/

 or

-    curl --interface 192.168.1.10 http://www.example.com/
+    curl --interface 192.168.1.10 https://www.example.com/

 ## HTTPS

@ -740,7 +740,7 @@ Continue uploading a document:

 Continue downloading a document from a web server

-    curl -C - -o file http://www.example.com/
+    curl -C - -o file https://www.example.com/

 ## Time Conditions

@ -751,17 +751,17 @@ them with the `-z`/`--time-cond` flag.
 For example, you can easily make a download that only gets performed if the
 remote file is newer than a local copy. It would be made like:

-    curl -z local.html http://remote.example.com/remote.html
+    curl -z local.html https://remote.example.com/remote.html

 Or you can download a file only if the local file is newer than the remote
 one. Do this by prepending the date string with a `-`, as in:

-    curl -z -local.html http://remote.example.com/remote.html
+    curl -z -local.html https://remote.example.com/remote.html

 You can specify a plain text date as condition. Tell curl to only download the
 file if it was updated since January 12, 2012:

-    curl -z "Jan 12 2012" http://remote.example.com/remote.html
+    curl -z "Jan 12 2012" https://remote.example.com/remote.html

 curl accepts a wide range of date formats. You always make the date check the
 other way around by prepending it with a dash (`-`).
@ -944,7 +944,7 @@ URL you specify. Note that this also goes for the `-O` option (but not
 For example: get two files and use `-O` for the first and a custom file
 name for the second:

-    curl -O http://example.com/file.txt ftp://example.com/moo.exe -o moo.jpg
+    curl -O https://example.com/file.txt ftp://example.com/moo.exe -o moo.jpg

 You can also upload multiple files in a similar fashion:

@ -957,7 +957,7 @@ and fall back to IPv4 if the connection fails. The `--ipv4` and `--ipv6`
 options can specify which address to use when both are available. IPv6
 addresses can also be specified directly in URLs using the syntax:

-    http://[2001:1890:1112:1::20]/overview.html
+    https://[2001:1890:1112:1::20]/overview.html

 When this style is used, the `-g` option must be given to stop curl from
 interpreting the square brackets as special globbing characters. Link local
--- a/docs/TheArtOfHttpScripting.md
+++ b/docs/TheArtOfHttpScripting.md
@ -57,7 +57,7 @@ SPDX-License-Identifier: curl
 offer even more details as they show **everything** curl sends and
 receives. Use it like this:

-    curl --trace-ascii debugdump.txt http://www.example.com/
+    curl --trace-ascii debugdump.txt https://www.example.com/

 ## See the Timing

@ -67,7 +67,7 @@ SPDX-License-Identifier: curl
 [`--trace-time`](https://curl.se/docs/manpage.html#--trace-time) option is
 what you need. It prepends the time to each trace output line:

-    curl --trace-ascii d.txt --trace-time http://example.com/
+    curl --trace-ascii d.txt --trace-time https://example.com/

 ## See which Transfer

@ -78,7 +78,7 @@ SPDX-License-Identifier: curl
 you need. It prepends the transfer and connection identifier to each trace
 output line:

-    curl --trace-ascii d.txt --trace-ids http://example.com/
+    curl --trace-ascii d.txt --trace-ids https://example.com/

 ## See the Response

@ -104,7 +104,7 @@ SPDX-License-Identifier: curl
 IP address for a hostname than what would otherwise be used, by using curl's
 [`--resolve`](https://curl.se/docs/manpage.html#--resolve) option:

-    curl --resolve www.example.org:80:127.0.0.1 http://www.example.org/
+    curl --resolve www.example.org:80:127.0.0.1 https://www.example.org/

 ## Port number

@ -115,14 +115,14 @@ SPDX-License-Identifier: curl
 number immediately following the hostname. Like when doing HTTP to port
 1234:

-    curl http://www.example.org:1234/
+    curl https://www.example.org:1234/

 The port number you specify in the URL is the number that the server uses to
 offer its services. Sometimes you may use a proxy, and then you may
 need to specify that proxy's port number separately from what curl needs to
 connect to the server. Like when using an HTTP proxy on port 4321:

-    curl --proxy http://proxy.example.org:4321 http://remote.example.org/
+    curl --proxy http://proxy.example.org:4321 https://remote.example.org/

 ## Username and password

@ -133,11 +133,11 @@ SPDX-License-Identifier: curl
 You can opt to either insert the user and password in the URL or you can
 provide them separately:

-    curl http://user:password@example.org/
+    curl https://user:password@example.org/

 or

-    curl -u user:password http://example.org/
+    curl -u user:password https://example.org/

 You need to pay attention that this kind of HTTP authentication is not what
 is usually done and requested by user-oriented websites these days. They tend
@ -188,7 +188,7 @@ SPDX-License-Identifier: curl

 Example, send two GET requests:

-    curl http://url1.example.com http://url2.example.com
+    curl https://url1.example.com https://url2.example.com

 If you use [`--data`](https://curl.se/docs/manpage.html#-d) to POST to
 the URL, using multiple URLs means that you send that same POST to all the
@ -196,7 +196,7 @@ SPDX-License-Identifier: curl

 Example, send two POSTs:

-    curl --data name=curl http://url1.example.com http://url2.example.com
+    curl --data name=curl https://url1.example.com https://url2.example.com


 ## Multiple HTTP methods in a single command line
@ -214,11 +214,11 @@ SPDX-License-Identifier: curl
 Perhaps this is best shown with a few examples. To send first a HEAD and then
 a GET:

-    curl -I http://example.com --next http://example.com
+    curl -I https://example.com --next https://example.com

 To first send a POST and then a GET:

-    curl -d score=10 http://example.com/post.cgi --next http://example.com/results.html
+    curl -d score=10 https://example.com/post.cgi --next https://example.com/results.html

 # HTML forms

@ -261,7 +261,7 @@ SPDX-License-Identifier: curl
 To make curl do the GET form post for you, just enter the expected created
 URL:

-    curl "http://www.example.com/when/junk.cgi?birthyear=1905&press=OK"
+    curl "https://www.example.com/when/junk.cgi?birthyear=1905&press=OK"

 ## POST

@ -287,7 +287,7 @@ SPDX-License-Identifier: curl
 And to use curl to post this form with the same data filled in as before, we
 could do it like:

-    curl --data "birthyear=1905&press=%20OK%20" http://www.example.com/when/junk.cgi
+    curl --data "birthyear=1905&press=%20OK%20" https://www.example.com/when/junk.cgi

 This kind of POST uses the Content-Type `application/x-www-form-urlencoded`
 and is the most widely used POST kind.
@ -299,7 +299,7 @@ SPDX-License-Identifier: curl

 Recent curl versions can in fact url-encode POST data for you, like this:

-    curl --data-urlencode "name=I am Daniel" http://www.example.com
+    curl --data-urlencode "name=I am Daniel" https://www.example.com

 If you repeat `--data` several times on the command line, curl concatenates
 all the given data pieces - and put a `&` symbol between each data segment.
@ -371,7 +371,7 @@ SPDX-License-Identifier: curl

 Put a file to an HTTP server with curl:

-    curl --upload-file uploadfile http://www.example.com/receive.cgi
+    curl --upload-file uploadfile https://www.example.com/receive.cgi

 # HTTP Authentication

@ -386,7 +386,7 @@ SPDX-License-Identifier: curl

 To tell curl to use a user and password for authentication:

-    curl --user name:password http://www.example.com
+    curl --user name:password https://www.example.com

 ## Other Authentication

@ -440,7 +440,7 @@ SPDX-License-Identifier: curl

 Use curl to set the referer field with:

-    curl --referer http://www.example.come http://www.example.com
+    curl --referer https://www.example.come https://www.example.com

 ## User Agent

@ -481,7 +481,7 @@ SPDX-License-Identifier: curl

 To tell curl to follow a Location:

-    curl --location http://www.example.com
+    curl --location https://www.example.com

 If you use curl to POST to a site that immediately redirects you to another
 page, you can safely use [`--location`](https://curl.se/docs/manpage.html#-L)
@ -519,14 +519,14 @@ SPDX-License-Identifier: curl
 The simplest way to send a few cookies to the server when getting a page with
 curl is to add them on the command line like:

-    curl --cookie "name=Daniel" http://www.example.com
+    curl --cookie "name=Daniel" https://www.example.com

 Cookies are sent as common HTTP headers. This is practical as it allows curl
 to record cookies simply by recording headers. Record cookies with curl by
 using the [`--dump-header`](https://curl.se/docs/manpage.html#-D) (`-D`)
 option like:

-    curl --dump-header headers_and_cookies http://www.example.com
+    curl --dump-header headers_and_cookies https://www.example.com

 (Take note that the
 [`--cookie-jar`](https://curl.se/docs/manpage.html#-c) option described
@ -538,7 +538,7 @@ SPDX-License-Identifier: curl
 believing you had a previous connection). To use previously stored cookies,
 you run curl like:

-    curl --cookie stored_cookies_in_file http://www.example.com
+    curl --cookie stored_cookies_in_file https://www.example.com

 curl's "cookie engine" gets enabled when you use the
 [`--cookie`](https://curl.se/docs/manpage.html#-b) option. If you only
@ -547,7 +547,7 @@ SPDX-License-Identifier: curl
 page and follow a location (and thus possibly send back cookies it received),
 you can invoke it like:

-    curl --cookie nada --location http://www.example.com
+    curl --cookie nada --location https://www.example.com

 curl has the ability to read and write cookie files that use the same file
 format that Netscape and Mozilla once used. It is a convenient way to share
@ -557,7 +557,7 @@ SPDX-License-Identifier: curl
 cookie file at the end of an operation:

    curl --cookie cookies.txt --cookie-jar newcookies.txt \
-      http://www.example.com
+      https://www.example.com

 # HTTPS

@ -620,12 +620,12 @@ SPDX-License-Identifier: curl
 You can delete a default header by providing one without content. Like you
 can ruin the request by chopping off the `Host:` header:

-    curl --header "Host:" http://www.example.com
+    curl --header "Host:" https://www.example.com

 You can add headers the same way. Your server may want a `Destination:`
 header, and you can add it:

-    curl --header "Destination: http://nowhere" http://example.com
+    curl --header "Destination: nowhere" https://example.com

 ## More on changed methods

@ -638,7 +638,7 @@ SPDX-License-Identifier: curl
 thinks it sends a POST. You can change the normal GET to a POST method by
 simply adding `-X POST` in a command line like:

-    curl -X POST http://example.org/
+    curl -X POST https://example.org/

 curl however still acts as if it sent a GET so it does not send any request
 body etc.
--- a/docs/URL-SYNTAX.md
+++ b/docs/URL-SYNTAX.md
@ -130,7 +130,7 @@ character or string.

 For example, this could look like:

-    http://user:password@www.example.com:80/index.html?foo=bar#top
+    https://user:password@www.example.com:80/index.html?foo=bar#top

 ## Scheme

@ -169,13 +169,13 @@ local network name of the machine on your network or the IP address of the
 server or machine represented by either an IPv4 or IPv6 address (within
 brackets). For example:

-    http://www.example.com/
+    https://www.example.com/

-    http://hostname/
+    https://hostname.example/

-    http://192.168.0.1/
+    https://192.168.0.1/

-    http://[2001:1890:1112:1::20]/
+    https://[2001:1890:1112:1::20]/

 ### "localhost"

--- a/docs/cmdline-opts/_ENVIRONMENT.md
+++ b/docs/cmdline-opts/_ENVIRONMENT.md
@ -31,12 +31,12 @@ This environment variable disables use of the proxy even when specified with
 the --proxy option. That is

    NO_PROXY=direct.example.com curl -x http://proxy.example.com
-    http://direct.example.com
+    https://direct.example.com

 accesses the target URL directly, and

    NO_PROXY=direct.example.com curl -x http://proxy.example.com
-    http://somewhere.example.com
+    https://somewhere.example.com

 accesses the target URL through the proxy.

--- a/docs/cmdline-opts/_GLOBBING.md
+++ b/docs/cmdline-opts/_GLOBBING.md
@ -6,7 +6,9 @@ or ranges within brackets. We call this "globbing".

 Provide a list with three different names like this:

-    http://site.{one,two,three}.com
+    https://fun.example/{one,two,three}.jpg
+
+    sftp://{one,two,three}.example/README

 Do sequences of alphanumeric series by using [] as in:

@ -23,14 +25,14 @@ With letters through the alphabet:
 Nested sequences are not supported, but you can use several ones next to each
 other:

-    http://example.com/archive[1996-1999]/vol[1-4]/part{a,b,c}.html
+    https://example.com/archive[1996-1999]/vol[1-4]/part{a,b,c}.html

 You can specify a step counter for the ranges to get every Nth number or
 letter:

-    http://example.com/file[1-100:10].txt
+    https://example.com/file[1-100:10].txt

-    http://example.com/file[a-z:2].txt
+    https://example.com/file[a-z:2].txt

 When using [] or {} sequences when invoked from a command line prompt, you
 probably have to put the full URL within double quotes to avoid the shell from
--- a/docs/libcurl/libcurl-security.md
+++ b/docs/libcurl/libcurl-security.md
@ -144,9 +144,10 @@ The CURLOPT_REDIR_PROTOCOLS_STR(3) and CURLOPT_NETRC(3) options can be
 used to mitigate against this kind of attack.

 A redirect can also specify a location available only on the machine running
-libcurl, including servers hidden behind a firewall from the attacker.
-E.g. **http://127.0.0.1/** or **http://intranet/delete-stuff.cgi?delete=all** or
-**tftp://bootp-server/pc-config-data**
+libcurl, including servers hidden behind a firewall from the attacker. E.g.
+**https://127.0.0.1/** or
+**https://intranet.example/delete-stuff.cgi?delete=all** or
+**tftp://bootp-server.example/pc-config-data**

 Applications can mitigate against this by disabling
 CURLOPT_FOLLOWLOCATION(3) and handling redirects itself, sanitizing URLs
@ -172,11 +173,10 @@ way you did not intend such as injecting new headers.
 A user who can control the DNS server of a domain being passed in within a URL
 can change the address of the host to a local, private address which a
 server-side libcurl-using application could then use. E.g. the innocuous URL
-**http://fuzzybunnies.example.com/** could actually resolve to the IP
-address of a server behind a firewall, such as 127.0.0.1 or
-10.1.2.3. Applications can mitigate against this by setting a
-CURLOPT_OPENSOCKETFUNCTION(3) or CURLOPT_PREREQFUNCTION(3) and
-checking the address before a connection.
+**https://fuzzybunnies.example.com/** could actually resolve to the IP address
+of a server behind a firewall, such as 127.0.0.1 or 10.1.2.3. Applications can
+mitigate against this by setting a CURLOPT_OPENSOCKETFUNCTION(3) or
+CURLOPT_PREREQFUNCTION(3) and checking the address before a connection.

 All the malicious scenarios regarding redirected URLs apply just as well to
 non-redirected URLs, if the user is allowed to specify an arbitrary URL that
@ -254,7 +254,7 @@ the request.
 If cookies are enabled and cached, then a user could craft a URL which
 performs some malicious action to a site whose authentication is already
 stored in a cookie. E.g.
-**http://mail.example.com/delete-stuff.cgi?delete=all** Applications can
+**https://mail.example.com/delete-stuff.cgi?delete=all** Applications can
 mitigate against this by disabling cookies or clearing them between requests.

 # Dangerous SCP URLs
@ -315,8 +315,8 @@ if creative use of special characters are applied?

 If the user can set the URL, the user can also specify the scheme part to
 other protocols that you did not intend for users to use and perhaps did not
-consider. curl supports over 20 different URL schemes. "http://" might be what
-you thought, "ftp://" or "imap://" might be what the user gives your
+consider. curl supports over 27 different URL schemes. `https://` might be
+what you expect, `ftp://` or `imap://` might be what the user gives your
 application. Also, cross-protocol operations might be done by using a
 particular scheme in the URL but point to a server doing a different protocol
 on a non-standard port.
--- a/docs/libcurl/libcurl-tutorial.md
+++ b/docs/libcurl/libcurl-tutorial.md
@ -194,7 +194,7 @@ One of the most basic properties to set in the handle is the URL. You set your
 preferred URL to transfer with CURLOPT_URL(3) in a manner similar to:

 ~~~c
- curl_easy_setopt(handle, CURLOPT_URL, "http://example.com/");
+ curl_easy_setopt(handle, CURLOPT_URL, "https://example.com/");
 ~~~

 Let's assume for a while that you want to receive data as the URL identifies a
@ -470,7 +470,7 @@ libcurl to post it all to the remote site:
 ~~~c
    char *data = "name=daniel&project=curl";
    curl_easy_setopt(handle, CURLOPT_POSTFIELDS, data);
-    curl_easy_setopt(handle, CURLOPT_URL, "http://posthere.com/");
+    curl_easy_setopt(handle, CURLOPT_URL, "https://posthere.example/");

    curl_easy_perform(handle); /* post away! */
 ~~~
--- a/docs/libcurl/opts/CURLINFO_PROXYAUTH_USED.md
+++ b/docs/libcurl/opts/CURLINFO_PROXYAUTH_USED.md
@ -45,7 +45,7 @@ int main(void)
  if(curl) {
    CURLcode res;
    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
-    curl_easy_setopt(curl, CURLOPT_PROXY, "http://proxy.example.com");
+    curl_easy_setopt(curl, CURLOPT_PROXY, "http://proxy.example");
    curl_easy_setopt(curl, CURLOPT_PROXYAUTH,
                     CURLAUTH_BASIC | CURLAUTH_DIGEST);
    curl_easy_setopt(curl, CURLOPT_PROXYUSERNAME, "shrek");
--- a/docs/libcurl/opts/CURLOPT_NOPROXY.md
+++ b/docs/libcurl/opts/CURLOPT_NOPROXY.md
@ -76,7 +76,7 @@ int main(void)
    /* accept various URLs */
    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
    /* use this proxy */
-    curl_easy_setopt(curl, CURLOPT_PROXY, "http://proxy:80");
+    curl_easy_setopt(curl, CURLOPT_PROXY, "http://proxy.example:80");
    /* ... but make sure this host name is not proxied */
    curl_easy_setopt(curl, CURLOPT_NOPROXY, "www.example.com");
    curl_easy_perform(curl);
--- a/docs/libcurl/opts/CURLOPT_PROXY.md
+++ b/docs/libcurl/opts/CURLOPT_PROXY.md
@ -138,7 +138,7 @@ int main(void)
  CURL *curl = curl_easy_init();
  if(curl) {
    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/file.txt");
-    curl_easy_setopt(curl, CURLOPT_PROXY, "http://proxy:80");
+    curl_easy_setopt(curl, CURLOPT_PROXY, "http://proxy.example:80");
    curl_easy_perform(curl);
  }
 }
--- a/docs/libcurl/opts/CURLOPT_SUPPRESS_CONNECT_HEADERS.md
+++ b/docs/libcurl/opts/CURLOPT_SUPPRESS_CONNECT_HEADERS.md
@ -83,7 +83,7 @@ int main(void)
    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");

    curl_easy_setopt(curl, CURLOPT_HEADER, 1L);
-    curl_easy_setopt(curl, CURLOPT_PROXY, "http://foo:3128");
+    curl_easy_setopt(curl, CURLOPT_PROXY, "http://proxy.example:3128");
    curl_easy_setopt(curl, CURLOPT_HTTPPROXYTUNNEL, 1L);
    curl_easy_setopt(curl, CURLOPT_SUPPRESS_CONNECT_HEADERS, 1L);