What is HTTP/3?

HTTP/3 is the next major revision of the hypertext transfer protocol (HTTP). It will improve speed, security, and reliability.

Learning Objectives

After reading this article you will be able to:

  • Understand what improvements are expected in HTTP/3
  • Recognize how the protocol will shape user experience
  • Describe anticipated security benefits

Related Content

Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is HTTP/3?

HTTP is an essential backbone of the Internet — it dictates how communications platforms and devices exchange information and fetch resources. In short, it is what allows users to load websites.

HTTP/3 is a new standard in development that will affect how web browsers and servers communicate, with significant upgrades for user experience, including performance, reliability, and security.

After the first hypertext transfer protocol (HTTP) was released in 1991, subsequent iterations made websites faster without any changes to the underlying code.

What is new in HTTP/3?

HTTP/3 will be the first major upgrade to the hypertext transfer protocol since HTTP/2 was approved in 2015.

An important difference in HTTP/3 is that it runs on QUIC, a new transport protocol. QUIC is designed for mobile-heavy Internet usage in which people carry smartphones that constantly switch from one network to another as they move about their day. This was not the case when the first Internet protocols were developed: devices were less portable and did not switch networks very often.

The use of QUIC means that HTTP/3 relies on the User Datagram Protocol (UDP), not the Transmission Control Protocol (TCP). Switching to UDP will enable faster connections and faster user experience when browsing online.

The QUIC protocol was developed by Google in 2012 and was adopted by the Internet Engineering Task Force (IETF) — a vendor-neutral standards organization — as they started creating the new HTTP/3 standard. After consulting with experts around the world, the IETF has made a host of changes to develop their own version of QUIC.

Why is a new version of HTTP needed?

QUIC will help fix some of HTTP/2's biggest shortcomings:

  • Developing a workaround for the sluggish performance when a smartphone switches from WiFi to cellular data (such as when leaving the house or office)
  • Decreasing the effects of packet loss — when one packet of information does not make it to its destination, it will no longer block all streams of information (a problem known as “head-of-line blocking”)

Other benefits include:

  • Faster connection establishment: QUIC allows TLS version negotiation to happen at the same time as the cryptographic and transport handshakes
  • Zero round-trip time (0-RTT): For servers they have already connected to, clients can skip the handshake requirement (the process of acknowledging and verifying each other to determine how they will communicate)
  • More comprehensive encryption: QUIC’s new approach to handshakes will provide encryption by default — a huge upgrade from HTTP/2 — and will help mitigate the risk of attacks

What is encrypting by default?

Requiring encryption within the transport layer, rather than at the application layer, has important implications for security. It means that the connection will always be encrypted. Previously, in HTTPS, the encryption and transport-layer connections occurred separately. TCP connections could carry data that was either encrypted or unencrypted, and the TCP handshake and TLS handshake were distinct events. However, QUIC sets up encrypted connections by default at the transport layer — application-layer data will always be encrypted.

QUIC accomplishes this by combining the two handshakes into one action, reducing latency since applications must wait for only one handshake to finish before sending data. It also encrypts metadata about each connection, including packet numbers and some other parts of the header, to help keep information about user behavior out of attackers’ hands. This feature was not included in HTTP/2. Encrypting this data helps keep actionable information about user behavior out of attackers’ hands.

HTTP’s traditional use of plaintext for requests and responses has negative consequences for security, since anyone monitoring communications can read them. Encrypting by default will help keep everyone safer and protect sensitive data.

Is HTTP/3 available now?

While the standard is still in development, website owners and visitors can start getting support for HTTP/3 through browsers, operating systems, and other clients. Of course, there are likely more changes ahead for the standard, which has already gone through several implementations.

After HTTP/3 is released, the entire web will not switch over at once. Many sites are not even on HTTP/2 yet.

One potential hurdle for the new protocol is that it requires increased CPU usage for both the server and client. This will likely decrease in impact over time as the technology evolves.

Who decides what gets included in HTTP/3?

The IETF assembled the QUIC Working Group in 2016. People from many organizations and corporations are involved in the development process — including Cloudflare.

Before getting its current name of HTTP/3, the standard previously went by “HTTP-over-QUIC” and “HTTP/2 Semantics Using The QUIC Transport Protocol.”

How can website owners turn on HTTP/3 now?

Cloudflare enables website owners to turn on support for HTTP/3 without any changes to their origin. Learn how to make the switch for your domain.