ToolBelt

HTTP/3 & QUIC Reference

Core concepts behind HTTP/3 and QUIC, one short paragraph each.

Open tool

Overview

The HTTP/3 and QUIC reference is a one-paragraph-per-concept walkthrough of the protocols that now carry a large slice of public web traffic. It covers the differences from HTTP/2, the role of QUIC, the 0-RTT handshake, connection migration across networks, multiplexed streams without head-of-line blocking, and the QPACK header compression scheme.

Backend engineers evaluating HTTP/3 adoption, network architects writing a migration plan, and curious developers who keep seeing h3 in their browser DevTools all want a concise HTTP/3 vs HTTP/2 comparison. Long-tail keywords covered: HTTP/3 explained for developers, what is QUIC and how does it differ from TCP, and HTTP/3 0-RTT security trade-offs.

How it works

HTTP/3 (RFC 9114) is HTTP over QUIC (RFC 9000) instead of TCP. QUIC is a transport protocol built on UDP that integrates TLS 1.3, provides multiple independent streams without TCP's head-of-line blocking, and supports connection IDs so a session survives a client's IP change (Wi-Fi to mobile, for instance).

The handshake is fast: TLS 1.3 fits inside the QUIC Initial packet and brings a normal 1-RTT setup. Resumed connections can send application data with the very first packet using 0-RTT, at the cost of replay-attack exposure that idempotent requests can tolerate. Header compression switches from HTTP/2's HPACK to QPACK, which separates the dynamic table from the request stream so a single missing packet does not stall every header decode.

Examples

  • A browser opens an HTTP/3 connection after a 200 OK from HTTP/2 advertises Alt-Svc: h3=":443".
  • Connection migration: a phone moves from cellular to Wi-Fi and the same QUIC session continues without renegotiation.
  • 0-RTT resumption: a returning visitor's first GET / arrives in the QUIC Initial packet, served immediately.
  • Stream-level loss: one missing packet on stream 5 does not block streams 1, 3, or 7, unlike HTTP/2 over TCP.

FAQ

Do I need to change my application code?

No. HTTP semantics are unchanged. Switching to HTTP/3 is a server, load balancer, or CDN configuration change.

Why UDP instead of TCP?

QUIC needs to evolve faster than TCP, which is implemented in OS kernels. Running over UDP keeps the protocol in userspace where it can be deployed without kernel upgrades, and it sidesteps middleboxes that ossify TCP behaviour.

Is HTTP/3 always faster?

Usually on lossy networks (mobile, congested Wi-Fi). On a clean fibre link with low latency, the difference versus HTTP/2 is often negligible.

What is 0-RTT replay risk?

An attacker who captures a 0-RTT request can replay it. Servers must treat 0-RTT data as replayable and only allow idempotent operations — typically GET — at that phase.

Try HTTP/3 & QUIC Reference

An unhandled error has occurred. Reload ×