HTTP/3 inspection
Gateway supports inspection of HTTP/3 traffic, which uses the QUIC protocol over UDP. HTTP/3 inspection requires a user-side certificate to be deployed and traffic to be proxied over UDP with TLS version 1.3.
Gateway applies HTTP policies to HTTP/3 traffic last. For more information, refer to the order of enforcement.
To enable HTTP/3 inspection, turn on the Gateway proxy for UDP:
- In Zero Trust ↗, go to Settings > Network.
- In Firewall, turn on Proxy.
- Select TCP and UDP.
- Turn on TLS decryption.
Gateway can inspect HTTP/3 traffic from Mozilla Firefox and Microsoft Edge by establishing an HTTP/3 proxy connection. Gateway will then terminate the HTTP/3 connection, decrypt and inspect the traffic, and connect to the destination server over HTTP/2. Gateway can also inspect other HTTP applications, such as cURL.
If the UDP proxy is turned on in Zero Trust, Google Chrome will cancel all HTTP/3 connections and retry them with HTTP/2, allowing you to enforce your HTTP policies. If the UDP proxy is turned off, HTTP/3 traffic from Chrome will bypass inspection.
To apply Gateway policies to HTTP traffic without turning on the UDP proxy, you must turn off QUIC in your users' browsers to ensure only HTTP/2 traffic reaches Gateway.
Google Chrome
- Go to
chrome://flags - Set Experimental QUIC protocol to Disabled.
- Relaunch Chrome.
Safari
You cannot turn off QUIC in Safari. All traffic will be sent over HTTP/3.
Firefox
- Go to
about:config. - If you receive a warning, select Accept the Risk and Continue.
- Set network.http.http3.enable to false.
- Relaunch Firefox.
Microsoft Edge
- Go to
edge://flags - Set Experimental QUIC protocol to Disabled.
- Relaunch Edge.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
