HTTP/3 / QUIC
What is HTTP/3 / QUIC?
HTTP/3 / QUICHTTP/3 (RFC 9114) is the HTTP mapping over QUIC (RFC 9000), a UDP-based, encrypted transport that integrates TLS 1.3 and provides per-stream multiplexing without head-of-line blocking.
QUIC, specified in RFC 9000 with loss recovery in RFC 9002 and TLS 1.3 integration in RFC 9001, is a UDP-based transport that bundles transport, encryption, and stream multiplexing into a single protocol. HTTP/3 (RFC 9114) carries HTTP semantics over QUIC, using QPACK (RFC 9204) for header compression. Compared with HTTP/2-over-TCP, QUIC offers faster 1-RTT (and optionally 0-RTT) handshakes, mandatory encryption of nearly every byte including headers, and resilience to network changes via connection IDs. Security topics include amplification limits (3x rule, RFC 9000 section 8.1), source-address validation, anti-replay constraints on 0-RTT, the QUIC version-negotiation downgrade defence, and middlebox issues with stateless reset. Real-world traffic on the public Internet now exceeds 30%.
● Examples
- 01
Chrome connecting to a Cloudflare-hosted site over QUIC v1 with TLS 1.3 and 0-RTT replay protection.
- 02
An enterprise firewall blocking UDP/443 to force HTTPS clients to fall back to HTTP/2-over-TCP.
● Frequently asked questions
What is HTTP/3 / QUIC?
HTTP/3 (RFC 9114) is the HTTP mapping over QUIC (RFC 9000), a UDP-based, encrypted transport that integrates TLS 1.3 and provides per-stream multiplexing without head-of-line blocking. It belongs to the Network Security category of cybersecurity.
What does HTTP/3 / QUIC mean?
HTTP/3 (RFC 9114) is the HTTP mapping over QUIC (RFC 9000), a UDP-based, encrypted transport that integrates TLS 1.3 and provides per-stream multiplexing without head-of-line blocking.
How does HTTP/3 / QUIC work?
QUIC, specified in RFC 9000 with loss recovery in RFC 9002 and TLS 1.3 integration in RFC 9001, is a UDP-based transport that bundles transport, encryption, and stream multiplexing into a single protocol. HTTP/3 (RFC 9114) carries HTTP semantics over QUIC, using QPACK (RFC 9204) for header compression. Compared with HTTP/2-over-TCP, QUIC offers faster 1-RTT (and optionally 0-RTT) handshakes, mandatory encryption of nearly every byte including headers, and resilience to network changes via connection IDs. Security topics include amplification limits (3x rule, RFC 9000 section 8.1), source-address validation, anti-replay constraints on 0-RTT, the QUIC version-negotiation downgrade defence, and middlebox issues with stateless reset. Real-world traffic on the public Internet now exceeds 30%.
How do you defend against HTTP/3 / QUIC?
Defences for HTTP/3 / QUIC typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for HTTP/3 / QUIC?
Common alternative names include: QUIC, h3, RFC 9000.
● Related terms
- network-security№ 498
HTTP/2 Security
The security model of HTTP/2 (RFC 9113) over TLS 1.2+, plus the operational pitfalls of HPACK, multiplexing, CONTINUATION frames, and the 2023 Rapid Reset attack.
- network-security№ 1188
UDP
A connectionless transport protocol (RFC 768) that delivers individual datagrams between ports with minimal overhead but no reliability or ordering guarantees.
- network-security№ 1134
TCP
A connection-oriented transport protocol (RFC 9293) that delivers an ordered, reliable, congestion-controlled byte stream between two endpoints over IP.