HTTP/3 is the next major revision of the hypertext transfer protocol (HTTP). It will improve speed, security, and reliability.
HTTP is an essential backbone of the Internet — it dictates how communications platforms and devices exchange information and fetch resources. In short, it is what allows users to load websites.
HTTP/3 is a new standard in development that will affect how web browsers and servers communicate, with significant upgrades for user experience, including performance, reliability, and security.
HTTP/3 will be the first major upgrade to the hypertext transfer protocol since HTTP/2 was approved in 2015.
An important difference in HTTP/3 is that it runs on QUIC, a new transport protocol. QUIC is designed for mobile-heavy Internet usage in which people carry smartphones that constantly switch from one network to another as they move about their day. This was not the case when the first Internet protocols were developed: devices were less portable and did not switch networks very often.
The use of QUIC means that HTTP/3 relies on the User Datagram Protocol (UDP), not the Transmission Control Protocol (TCP). Switching to UDP will enable faster connections and faster user experience when browsing online.
The QUIC protocol was developed by Google in 2012 and was adopted by the Internet Engineering Task Force (IETF) — a vendor-neutral standards organization — as they started creating the new HTTP/3 standard. After consulting with experts around the world, the IETF has made a host of changes to develop their own version of QUIC.
QUIC will help fix some of HTTP/2's biggest shortcomings:
Other benefits include:
Requiring encryption within the transport layer, rather than at the application layer, has important implications for security. It means that the connection will always be encrypted. Previously, in HTTPS, the encryption and transport-layer connections occurred separately. TCP connections could carry data that was either encrypted or unencrypted, and the TCP handshake and TLS handshake were distinct events. However, QUIC sets up encrypted connections by default at the transport layer — application-layer data will always be encrypted.
QUIC accomplishes this by combining the two handshakes into one action, reducing latency since applications must wait for only one handshake to finish before sending data. It also encrypts metadata about each connection, including packet numbers and some other parts of the header, to help keep information about user behavior out of attackers’ hands. This feature was not included in HTTP/2. Encrypting this data helps keep actionable information about user behavior out of attackers’ hands.
HTTP’s traditional use of plaintext for requests and responses has negative consequences for security, since anyone monitoring communications can read them. Encrypting by default will help keep everyone safer and protect sensitive data.
While the standard is still in development, website owners and visitors can start getting support for HTTP/3 through browsers, operating systems, and other clients. Of course, there are likely more changes ahead for the standard, which has already gone through several implementations.
After HTTP/3 is released, the entire web will not switch over at once. Many sites are not even on HTTP/2 yet.
One potential hurdle for the new protocol is that it requires increased CPU usage for both the server and client. This will likely decrease in impact over time as the technology evolves.
The IETF assembled the QUIC Working Group in 2016. People from many organizations and corporations are involved in the development process — including Cloudflare.
Before getting its current name of HTTP/3, the standard previously went by “HTTP-over-QUIC” and “HTTP/2 Semantics Using The QUIC Transport Protocol.”
Cloudflare enables website owners to turn on support for HTTP/3 without any changes to their origin. Learn how to make the switch for your domain.