HTTP/3 Connection Flow: Mermaid Sequence Diagram

About Source

HTTP/3 is the third major version of the HTTP protocol, running over QUIC instead of TCP, enabling 1-RTT connection establishment, independent stream multiplexing without head-of-line blocking, and seamless connection migration across network changes.

HTTP/3 (RFC 9114) was standardized in 2022 and is now supported by all major browsers and CDNs. The key insight is that QUIC — the transport protocol beneath HTTP/3 — integrates TLS 1.3 directly, so the transport and security handshakes happen simultaneously rather than sequentially.

Comparison with HTTP/2: HTTP/2 over TCP requires 2 RTTs (TCP + TLS 1.3) before sending data. HTTP/3 over QUIC requires only 1 RTT for new connections. More importantly, QUIC streams are independent at the transport level, so packet loss only affects the stream whose data is in the lost packet — not all concurrent streams (solving TCP's head-of-line blocking).

Connection Migration: QUIC connections are identified by a Connection ID, not by the 4-tuple (src IP, src port, dst IP, dst port). This means a mobile client can switch from WiFi to LTE — changing its IP address — without dropping the connection. TCP connections always break on IP change.

0-RTT Resumption: On subsequent connections to the same server (using a session ticket from a prior connection), QUIC supports 0-RTT data: the client can send application data in the very first packet, before the handshake completes. This is ideal for latency-sensitive API calls on returning visitors, though 0-RTT data is not protected against replay attacks for non-idempotent requests.

Alt-Svc and QUIC Discovery: Servers advertise HTTP/3 support via the Alt-Svc HTTP header (h3=":443"). Browsers attempt UDP/QUIC connections in parallel with TCP and use whichever succeeds first (Happy Eyeballs for QUIC).

Frequently asked questions

HTTP/3 is the third major version of the HTTP protocol. Where HTTP/2 runs over TCP, HTTP/3 runs over QUIC — a transport protocol built on UDP. This eliminates TCP's head-of-line blocking (a lost packet only affects the stream it belongs to), enables 1-RTT connection setup instead of 2 RTTs, and supports seamless connection migration when a client's IP address changes.

HTTP/3 leverages QUIC's integrated TLS 1.3 handshake. On a new connection, the client and server complete transport negotiation and cryptographic handshake simultaneously in 1 RTT. On subsequent connections to the same server, QUIC 0-RTT resumption allows the client to send application data in the very first packet, before the handshake completes.

HTTP/3 provides the most benefit on high-latency or lossy networks (mobile, satellite), for users switching between network interfaces (WiFi to LTE), and for latency-sensitive applications where reducing setup RTTs matters. On low-latency, low-loss fixed broadband, the difference is minimal. Major CDNs support HTTP/3 and enable it by default.

QUIC identifies connections by a Connection ID rather than the 4-tuple (source IP, source port, destination IP, destination port). When a mobile client switches from WiFi to LTE, its IP changes — this drops a TCP connection but a QUIC connection survives automatically. This is critical for mobile users who expect uninterrupted video streams or API calls while moving.

0-RTT resumption allows a returning client to send application data immediately in its first QUIC packet using a session ticket from a previous connection, achieving zero round-trip latency for connection setup. However, 0-RTT data is susceptible to replay attacks because it is sent before the server has authenticated the current session. It should only be used for idempotent requests like GET.

mermaid

sequenceDiagram
    participant Client
    participant Server

    note">Note over Client,Server: HTTP/3 runs over QUIC (UDP port 443)

    note">Note over Client,Server: New connection: 1 RTT
    Client->&gt;Server: QUIC Initial + TLS ClientHello\n(UDP datagram)
    Server-->&gt;Client: QUIC Initial + ServerHello\nHandshake + Certificate + Finished

    note">Note over Client: Verify certificate
    Client->&gt;Server: QUIC Handshake Finished\n+ HTTP/3 SETTINGS frame

    note">Note over Client,Server: Application data begins — streams are independent
    Client->&gt;Server: HEADERS frame stream 0\nGET /index.html
    Client->&gt;Server: HEADERS frame stream 4\nGET /api/data
    Server-->&gt;Client: HEADERS + DATA stream 0\n200 OK + HTML
    Server-->&gt;Client: HEADERS + DATA stream 4\n200 OK + JSON

    note">Note over Client,Server: Packet loss only affects owning stream
    note">Note over Client,Server: Connection migration: client changes IP
    Client->&gt;Server: PATH_CHALLENGE (new IP address)
    Server-->&gt;Client: PATH_RESPONSE (connection continues)

    note">Note over Client,Server: 0-RTT resumption on next visit
    Client->&gt;Server: 0-RTT data + Early data HTTP request
    Server-->&gt;Client: 1-RTT response