HTTP/3 is the next major revision of the hypertext transfer protocol (HTTP). It will improve speed, security, and reliability.
After reading this article you will be able to:
Related Content
HTTP/2 vs HTTP/1.1
Why Site Speed Matters
Test the Speed of a Site
Speed Up a Website
How Site Speed Boosts SEO
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
The Hypertext Transfer Protocol (HTTP) is an essential backbone of the Internet — it dictates how communications platforms and devices exchange information and fetch resources. In short, it is what allows users to load websites.
HTTP/3 is the latest major version of HTTP. Web browsers and servers can use it for significant upgrades to user experience, including performance, reliability, and security. Negotiating HTTP versions happens seamlessly, requiring no changes to website code.
HTTP/3 is the first major upgrade to HTTP since HTTP/2 was approved in 2015. It was published and made available to all Cloudflare customers in 2021.
An important difference in HTTP/3 is that it runs on QUIC, a new transport protocol. QUIC is designed to be fast and to support switching rapidly between networks. It relies on the User Datagram Protocol (UDP) rather than the Transmission Control Protocol (TCP), which mitigates an issue called head-of-line blocking in TCP, where network packet loss or reordering can slow down high-transaction connections. Furthermore, QUIC separates out the layer 4 transport connection from the layer 3 IP flow, allowing for migration between different networks without disruption.
QUIC can better support mobile-heavy Internet usage in which people carry smartphones and constantly switch from one network to another as they move about their day. This type of Internet usage was not common when the first Internet protocols were developed: devices were less portable and did not switch networks very often.
Google started work on an early version of QUIC in 2012. In 2016 it was adopted by the Internet Engineering Task Force (IETF) — a vendor-neutral standards organization — as they started creating the new HTTP/3 standard. After consulting with experts around the world, the IETF has made a host of changes to develop the now-standard version of QUIC published as RFC 9000.
QUIC helps fix some of HTTP/2's biggest shortcomings:
Requiring encryption within the transport layer, rather than at the application layer, has important implications for security. It means that the connection will always be encrypted. Previously, in HTTPS, the encryption and transport-layer connections occurred separately. TCP connections could carry data that was either encrypted or unencrypted, and the TCP handshake and Transport Layer Security (TLS) handshake were distinct events. However, QUIC sets up encrypted connections by default at the transport layer — application-layer data will always be encrypted.
QUIC accomplishes this by combining the two handshakes into one action, reducing latency since applications must wait for only one handshake to finish before sending data. It also encrypts metadata about each connection, including packet numbers and some other parts of the header, to help keep information about user behavior out of attackers' hands. This feature was not possible with HTTP/2 because it relied on TCP and TLS.
HTTP historically used plaintext TCP, which has negative consequences for security, since anyone monitoring communications can read requests and responses. Today, websites and web browsers prefer to encrypt all HTTP communications to help keep everyone safer and protect sensitive data. QUIC's encryption by default supports that goal.
Yes. HTTP/3 is implemented as standard in all major Web browsers and can be enabled by all Cloudflare customers without any changes to their origin. Learn how to make the switch for your domain.
Cloudflare Radar maintains up-to-date statistics on HTTP version usage.