What is HTTP/3?

HTTP/3 is the next major revision of the hypertext transfer protocol (HTTP). It will improve speed, security, and reliability.

Learning Objectives

After reading this article you will be able to:

  • Understand what improvements are expected in HTTP/3
  • Recognize how the protocol will shape user experience
  • Describe anticipated security benefits

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is HTTP/3?

The Hypertext Transfer Protocol (HTTP) is an essential backbone of the Internet — it dictates how communications platforms and devices exchange information and fetch resources. In short, it is what allows users to load websites.

HTTP/3 is the latest major version of HTTP. Web browsers and servers can use it for significant upgrades to user experience, including performance, reliability, and security. Negotiating HTTP versions happens seamlessly, requiring no changes to website code.

What is new in HTTP/3?

HTTP/3 is the first major upgrade to HTTP since HTTP/2 was approved in 2015. It was published and made available to all Cloudflare customers in 2021.

An important difference in HTTP/3 is that it runs on QUIC, a new transport protocol. QUIC is designed to be fast and to support switching rapidly between networks. It relies on the User Datagram Protocol (UDP) rather than the Transmission Control Protocol (TCP), which mitigates an issue called head-of-line blocking in TCP, where network packet loss or reordering can slow down high-transaction connections. Furthermore, QUIC separates out the layer 4 transport connection from the layer 3 IP flow, allowing for migration between different networks without disruption.

QUIC can better support mobile-heavy Internet usage in which people carry smartphones and constantly switch from one network to another as they move about their day. This type of Internet usage was not common when the first Internet protocols were developed: devices were less portable and did not switch networks very often.

Google started work on an early version of QUIC in 2012. In 2016 it was adopted by the Internet Engineering Task Force (IETF) — a vendor-neutral standards organization — as they started creating the new HTTP/3 standard. After consulting with experts around the world, the IETF has made a host of changes to develop the now-standard version of QUIC published as RFC 9000.

Why is a new version of HTTP needed?

QUIC helps fix some of HTTP/2's biggest shortcomings:

  • Decreasing the effects of packet loss — when one packet of information does not make it to its destination, it will no longer block all streams of information, a problem known as "head-of-line blocking"
  • Faster connection establishment: QUIC combines the cryptographic and transport handshakes
  • Zero round-trip time (0-RTT): For servers they have already connected to, clients can skip the handshake requirement (the process of acknowledging and verifying each other to determine how they will communicate)
  • More comprehensive encryption: QUIC is encrypted by default, making HTTP/3 more secure than HTTP/2 (more on this below)
  • Protecting against HTTP/2 "Rapid Reset" distributed denial-of-service (DDoS) attacks, which can slow down or crash a web server, by using a credit-based system for streams (a "stream" is a single HTTP request and response exchange) to allow HTTP/3 servers fine-grained control over stream concurrency
  • Developing a workaround for the sluggish performance when a smartphone switches from WiFi to cellular data, such as when leaving the house or office

What is encrypting by default?

Requiring encryption within the transport layer, rather than at the application layer, has important implications for security. It means that the connection will always be encrypted. Previously, in HTTPS, the encryption and transport-layer connections occurred separately. TCP connections could carry data that was either encrypted or unencrypted, and the TCP handshake and Transport Layer Security (TLS) handshake were distinct events. However, QUIC sets up encrypted connections by default at the transport layer — application-layer data will always be encrypted.

QUIC accomplishes this by combining the two handshakes into one action, reducing latency since applications must wait for only one handshake to finish before sending data. It also encrypts metadata about each connection, including packet numbers and some other parts of the header, to help keep information about user behavior out of attackers' hands. This feature was not possible with HTTP/2 because it relied on TCP and TLS.

HTTP historically used plaintext TCP, which has negative consequences for security, since anyone monitoring communications can read requests and responses. Today, websites and web browsers prefer to encrypt all HTTP communications to help keep everyone safer and protect sensitive data. QUIC's encryption by default supports that goal.

Is HTTP/3 available now?

Yes. HTTP/3 is implemented as standard in all major Web browsers and can be enabled by all Cloudflare customers without any changes to their origin. Learn how to make the switch for your domain.

Cloudflare Radar maintains up-to-date statistics on HTTP version usage.