Gateway supports inspection of HTTP/3 traffic, which uses the QUIC protocol over UDP. HTTP/3 inspection requires a user-side certificate to be deployed and traffic to be proxied over UDP with TLS version 1.3.

Gateway applies HTTP policies to HTTP/3 traffic last. For more information, refer to the order of enforcement.

Enable HTTP/3 inspection

To enable HTTP/3 inspection, turn on the Gateway proxy for UDP:

In Zero Trust ↗ , go to Settings > Network. In Firewall, turn on Proxy. Select TCP and UDP. Turn on TLS decryption.

Application limitations

Gateway can inspect HTTP/3 traffic from Mozilla Firefox and Microsoft Edge by establishing an HTTP/3 proxy connection. Gateway will then terminate the HTTP/3 connection, decrypt and inspect the traffic, and connect to the destination server over HTTP/2. Gateway can also inspect other HTTP applications, such as cURL.

If the UDP proxy is turned on in Zero Trust, Google Chrome will cancel all HTTP/3 connections and retry them with HTTP/2, allowing you to enforce your HTTP policies. If the UDP proxy is turned off, HTTP/3 traffic from Chrome will bypass inspection.

Exempt HTTP/3 traffic from inspection

If you require HTTP/3 traffic with end-to-end encryption from the client to the origin while still using the Gateway proxy, you can create a Do Not Inspect HTTP policy to match the desired traffic. Using a Do Not Inspect policy allows HTTP/3 traffic to preserve proxy performance and end-to-end encryption by bypassing Gateway's TLS decryption and inspection.

Force HTTP/2 traffic

To apply Gateway policies to HTTP traffic without turning on the UDP proxy, you must turn off QUIC in your users' browsers to ensure only HTTP/2 traffic reaches Gateway.

Google Chrome Go to chrome://flags Set Experimental QUIC protocol to Disabled. Relaunch Chrome.

Safari You cannot turn off QUIC in Safari. All traffic will be sent over HTTP/3.

Firefox Go to about:config . If you receive a warning, select Accept the Risk and Continue. Set network.http.http3.enable to false. Relaunch Firefox.