HTTP/3 inspection

Gateway supports inspection of HTTP/3 traffic, which uses the QUIC protocol over UDP. HTTP/3 inspection requires a user-side certificate to be deployed and traffic to be proxied over UDP with TLS version 1.3.

Gateway applies HTTP policies to HTTP/3 traffic last. For more information, refer to the order of enforcement.

Enable HTTP/3 inspection

To enable HTTP/3 inspection, turn on the Gateway proxy for UDP:

1. In Zero Trust ↗, go to Settings > Network.
2. In Firewall, turn on Proxy.
3. Select TCP and UDP.
4. Turn on TLS decryption.

Application limitations

Gateway can inspect HTTP/3 traffic from Mozilla Firefox and Microsoft Edge, as well as other HTTP applications, such as cURL.

If the UDP proxy is enabled in Zero Trust, Google Chrome will force all HTTP/3 traffic to fall back to HTTP/2, allowing you to enforce your HTTP policies. If the UDP proxy is not enabled, HTTP/3 traffic from Chrome will bypass inspection.

Force HTTP/2 traffic

To apply Gateway policies to HTTP traffic without turning on the UDP proxy, you must disable QUIC in your users' browsers to ensure only HTTP/2 traffic reaches Gateway.

Google Chrome

1. Go to chrome://flags
2. Disable Experimental QUIC protocol.
3. Relaunch Chrome.

Safari

1. Go to Safari > Settings > Advanced and enable Show Develop menu in menu bar, then relaunch Safari.
2. Go to Develop > Experimental Features and disable HTTP/3.
3. Relaunch Safari.

Firefox

1. Go to about:config.
2. If you receive a warning, select Accept the Risk and Continue.
3. Disable network.http.http3.enable.
4. Relaunch Firefox.

Microsoft Edge

1. Go to edge://flags
2. Disable Experimental QUIC protocol.
3. Relaunch Edge.

Was this helpful?

What did you like?

Accurate

Easy to understand

Solved my problem

Helped me decide to use the product

Other

What went wrong?

Hard to understand

Incorrect information

Missing the information

Other

Thank you for helping improve Cloudflare's documentation!