HTTP/3: the modern HTTP on QUIC
HTTP/3 is the newest version of HTTP. It carries the same web semantics as HTTP/1.1 and HTTP/2, but runs over QUIC, a secure multiplexed transport built on UDP. For most sites, it reduces latency, smooths performance on mobile and Wi‑Fi, and helps eliminate head‑of‑line blocking at the transport layer.
- Runs over QUIC (UDP) instead of TCP; always uses TLS 1.3.
- Multiplexes many streams without transport‑level head‑of‑line blocking.
- Faster handshakes (1‑RTT, with optional 0‑RTT), and connection migration when your IP changes.
- Uses QPACK for header compression, designed to avoid blocking.
- Coexists with HTTP/2 and HTTP/1.1 as seamless fallbacks.
What actually changes with HTTP/3?
HTTP/3 keeps the familiar methods, status codes, and headers, but swaps the transport stack underneath. QUIC provides encrypted, stream‑based delivery on top of UDP. Each request/response rides on its own stream, so a lost packet only delays that one stream—not every stream on the connection. Combined with faster cryptographic handshakes and better loss recovery, this yields more consistent page loads on real‑world networks.
Key transport benefits
- No TCP head‑of‑line blocking: packet loss doesn’t stall unrelated streams.
- Rapid handshake: new connections in 1 RTT; repeat connections can use 0‑RTT.
- Connection migration: sessions survive IP changes (e.g., Wi‑Fi → LTE).
- Built‑in encryption: QUIC requires TLS 1.3.
HTTP‑layer changes
- QPACK replaces HPACK for header compression with less blocking risk.
- Similar frame types and semantics to HTTP/2, mapped onto QUIC streams.
- Support for extensions (e.g., datagrams and WebTransport) on the same connection.
Why it matters for image delivery
Images dominate most pages. On shaky or congested networks, TCP loss can stall an entire HTTP/2 connection; with HTTP/3, only the affected image stream is delayed. Shorter handshakes also help first‑time visitors fetch above‑the‑fold assets sooner. For CDNs like 124 South Main, HTTP/3 means fewer long tails in load time and more resilient delivery on mobile.
Enabling HTTP/3 on your stack
- Open UDP/443 at your firewall/load balancer.
- Advertise HTTP/3 using one (or both):
Alt-Svcresponse header, for example:
Alt-Svc: h3=":443"; ma=86400- HTTPS (SVCB) DNS records to signal ALPN
h3to supporting clients.
- Use TLS 1.3 (required by QUIC). Keep HTTP/2 and HTTP/1.1 as fallbacks.
- Turn it on in your server/CDN: modern servers and CDNs expose a simple switch/flag for HTTP/3; common web servers (e.g., NGINX, Apache httpd, Caddy) have stable support in current releases.
Example header you can return from your origin or CDN:
Alt-Svc: h3=":443"; ma=86400Example NGINX listen (recent versions):
server {
listen 443 ssl http2; # HTTP/2 fallback
listen 443 quic reuseport; # HTTP/3 over QUIC
ssl_protocols TLSv1.3; # QUIC requires TLS 1.3
add_header Alt-Svc 'h3=":443"; ma=86400' always;
# ... your usual TLS + location config ...
}How to check that HTTP/3 is working
- Chrome/Edge/Firefox DevTools: open the Network tab, right‑click the table header, enable the Protocol column, and look for
h3on requests. - curl:
curl --http3 https://your-domain(or--http3-onlyto fail if only HTTP/2/1.1 are available).
Performance expectations (and caveats)
- Most benefit on lossy/variable networks: fewer stalls during packet loss.
- CPU and memory: QUIC can be a bit heavier per‑connection than TCP in some stacks.
- Middleboxes: Ensure UDP/443 isn’t throttled or filtered on your path.
- Measure: enable HTTP/3, keep fallbacks, and compare real‑user metrics (LCP, CLS, TTFB).
FAQ
Is HTTP/3 always encrypted?
Yes. QUIC mandates TLS 1.3, so HTTP/3 is always encrypted. There is no plaintext mode.
Do I need to change my application code?
Usually no. HTTP methods, status codes, and headers are the same. Most changes are at the server, CDN, and network layers.
What happens if a client or network doesn’t support HTTP/3?
Clients fall back seamlessly to HTTP/2 or HTTP/1.1. Advertising HTTP/3 via Alt‑Svc or HTTPS/SVCB lets capable clients upgrade without breaking others.
Further reading
- HTTP/3 (RFC 9114)
- QUIC Transport (RFC 9000), TLS for QUIC (RFC 9001), Loss Detection (RFC 9002)
- QPACK for HTTP/3 (RFC 9204)
- Alt‑Svc (RFC 7838) and HTTPS/SVCB DNS (RFC 9460)
- curl and HTTP/3 usage
Last updated August 14, 2025.