Skip to content

HTTP/3

Gateway supports inspection of HTTP/3 traffic, which uses the QUIC protocol over UDP. HTTP/3 inspection requires a user-side certificate to be deployed and traffic to be proxied over UDP with TLS version 1.3.

Gateway applies HTTP policies to HTTP/3 traffic last. For more information, refer to the order of enforcement.

Enable HTTP/3 inspection

To enable HTTP/3 inspection:

  1. In Zero Trust, go to Settings > Network.
  2. Under Firewall, enable Proxy and select UDP.
  3. Enable TLS decryption.

Application limitations

Gateway can inspect HTTP/3 traffic from Microsoft Edge, as well as other HTTP applications, such as cURL.

By default, the following browsers do not support HTTP/3 inspection unless you disable QUIC:

  • Google Chrome
  • Safari
  • Firefox

If the UDP proxy is enabled in Zero Trust, Gateway will force all HTTP/3 traffic in these browsers to fall back to HTTP/2, allowing you to enforce your HTTP policies. If the UDP proxy is not enabled, HTTP/3 traffic will bypass inspection.

Prevent inspection bypass

To prevent HTTP/3 traffic from bypassing inspection, disable QUIC in your users' browsers.

Google Chrome

  1. Go to chrome://flags
  2. Disable Experimental QUIC protocol.
  3. Relaunch Chrome.

Safari

  1. Go to Safari > Settings > Advanced and enable Show Develop menu in menu bar, then relaunch Safari.
  2. Go to Develop > Experimental Features and disable HTTP/3.
  3. Relaunch Safari.

Firefox

  1. Go to about:config.
  2. If you receive a warning, select Accept the Risk and Continue.
  3. Disable network.http.http3.enable.
  4. Relaunch Firefox.

Microsoft Edge

  1. Go to edge://flags
  2. Disable Experimental QUIC protocol.
  3. Relaunch Edge.