What is the difference between QUIC and HTTP/3?

HTTP/3 is the application layer protocol that runs on top of QUIC, defined as RFC 9114 in June 2022. QUIC is the transport layer underneath. HTTP/3 cannot run on TCP, only on QUIC. When you enable HTTP/3 on a server, you implicitly enable QUIC.

Why is QUIC faster than TCP plus TLS?

QUIC removes head of line blocking by multiplexing independent streams. A lost packet on one stream does not stall the others. It also combines the TCP and TLS handshake into one round trip (or zero on resumption), saves connection time on mobile when switching networks via connection migration and adds better congestion control like BBR.

What is QUIC? | InspectWP

Q: What is QUIC?

QUIC is a modern transport protocol that runs on UDP instead of TCP. It was developed by Google starting in 2012, standardized by the IETF as RFC 9000 in May 2021, and now powers HTTP/3. QUIC integrates TLS 1.3 encryption directly into the transport layer, supports multiple independent streams without head of line blocking, allows 0-RTT connection setup and survives client IP changes (Wi-Fi to mobile data) without dropping the connection.

QUIC (originally Quick UDP Internet Connections, now just QUIC) is a modern general purpose transport protocol that runs on UDP instead of TCP. It was first deployed by Google in 2012 inside Chrome and YouTube, redesigned for standardization by the IETF as RFC 9000 in May 2021, and now powers HTTP/3 (RFC 9114, June 2022). QUIC integrates TLS 1.3 encryption directly into the transport layer, supports multiple independent streams within a single connection without head of line blocking, allows 0-RTT connection setup, supports connection migration (the same connection survives when a phone switches from Wi-Fi to mobile data) and uses modern congestion control (CUBIC or BBR). For typical web traffic on mobile networks, QUIC reduces connection setup time by 100 to 300 ms and improves Time to First Byte (TTFB) by 5 to 20 percent compared to HTTP/2 over TCP. As of early 2025, more than 30 percent of traffic on Cloudflare and over 50 percent of YouTube traffic globally is delivered over QUIC. All major browsers support HTTP/3 (Chrome 90 April 2021, Firefox 88 April 2021, Safari 14 September 2020 as an experimental flag and Safari 16 September 2022 enabled by default, Edge 90 April 2021). Server support: nginx 1.25 (May 2023, mainline), Caddy since version 2 (default), LiteSpeed, Apache via mod_http3 (still experimental in 2025), Cloudflare since 2019, AWS CloudFront, Fastly, Akamai.

Why was QUIC invented?

TCP plus TLS plus HTTP/2 have known limitations:

Head of line blocking at the TCP layer: when a single TCP packet is lost, all HTTP/2 streams on that connection stall until the retransmission arrives. HTTP/2 solved application level multiplexing but TCP still serializes everything below it.
Long connection setup: TCP needs 1 RTT for the handshake, then TLS 1.2 needs 1 to 2 more RTTs. On a 200 ms mobile RTT that is 400 to 600 ms before the first HTTP request even leaves the device.
No connection migration: TCP connections are tied to the source IP and port. A phone moving from Wi-Fi to mobile data drops all TCP connections, breaking video streams and downloads.
Slow protocol evolution: TCP is implemented in operating system kernels and middleboxes. Changes take a decade to propagate. QUIC lives in user space libraries (msquic, quiche, ngtcp2) that update with the application.

How does QUIC work?

QUIC packets are wrapped in UDP datagrams. UDP is unreliable and connectionless, QUIC adds reliability, ordering and congestion control on top.
The QUIC handshake (CRYPTO frames) runs TLS 1.3 inside the QUIC packets. Connection plus encryption complete in one round trip, or zero with session resumption.
Each request and response is a separate stream. Streams are multiplexed within one connection but are independent at the transport layer, so a lost packet on stream 5 does not delay stream 7.
Every QUIC packet carries a 64 bit connection ID that survives IP changes. If the source IP changes (Wi-Fi to LTE), the server still recognizes the connection.
Congestion control runs per connection with modern algorithms like NewReno, CUBIC or BBR.
Packet headers are mostly encrypted (only a few routing bytes are visible) so middleboxes can no longer inspect or tamper with QUIC like they do with TCP.

QUIC vs TCP plus TLS plus HTTP/2

Aspect	TCP + TLS 1.2 + HTTP/2	QUIC + TLS 1.3 + HTTP/3
Transport	TCP (kernel)	UDP plus QUIC (user space)
Handshake RTT	2 to 3	1, or 0 on resumption
Head of line blocking	Yes (at TCP)	No (per stream)
Encryption	Separate TLS layer	Built into transport
Connection migration	No	Yes (connection IDs)
Middlebox visibility	High (TCP headers, SNI)	Low (headers encrypted)
Forward error correction	No	No (removed before standardization, optional in some libs)
CPU usage	Lower (kernel offload, hardware accel)	Higher historically, narrowing in 2025 with offload support
Default port	443 / TCP	443 / UDP

How is HTTP/3 related to QUIC?

HTTP/3 is the third major version of the HTTP protocol, specifically designed to run on QUIC instead of TCP. The mapping is:

HTTP/1.1 (RFC 9112, 1997 to 2022): runs on TCP, plain text framing.
HTTP/2 (RFC 9113, May 2015): runs on TCP, binary framing, multiplexed streams, header compression (HPACK).
HTTP/3 (RFC 9114, June 2022): runs on QUIC, similar API to HTTP/2 but uses QPACK for header compression (HPACK adapted to QUIC stream model) and benefits from QUIC properties.

Browsers discover HTTP/3 via the Alt-Svc response header (sent over HTTP/2 first):

Alt-Svc: h3=":443"; ma=86400

Or via DNS HTTPS resource records (HTTPS RR, RFC 9460, November 2023) that announce HTTP/3 support before the first connection:

example.com. 300 IN HTTPS 1 . alpn="h3,h2" port=443

Connection migration in practice

A user on a mobile train ride switches from Wi-Fi at the station to LTE on the train. With TCP, the phone IP changes, the connection drops, video pauses, downloads restart from scratch. With QUIC, the same connection ID continues over the new path with no interruption. YouTube measured a 30 percent reduction in rebuffering events after enabling QUIC connection migration in 2017.

0-RTT in QUIC

If the client connected to the server before, it can resume the session in 0 RTT, meaning application data flies on the very first packet. This is faster than TLS 1.3 over TCP, which still needs the TCP three way handshake before TLS. The same replay caveats as TLS 1.3 0-RTT apply: only use it for idempotent requests like GET.

How do I enable QUIC and HTTP/3?

Cloudflare

Cloudflare enabled QUIC and HTTP/3 (then draft) on its free plan in September 2019, fully on RFC 9000 since 2021. To enable or check: Cloudflare Dashboard, Network, HTTP/3 (with QUIC) toggle to On. Alt-Svc and HTTPS RR are added automatically.

nginx

nginx 1.25 (May 2023) added experimental QUIC and HTTP/3 in mainline, declared stable in 1.27.4 (February 2025). The build must include --with-http_v3_module and an OpenSSL fork with QUIC support (BoringSSL, OpenSSL 3.0+ via QUIC API or quictls).

server {
    listen 443 ssl;
    listen 443 quic reuseport;
    http2 on;
    http3 on;

    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_protocols TLSv1.3;

    add_header Alt-Svc 'h3=":443"; ma=86400';
}

Make sure UDP port 443 is open on the firewall (in addition to TCP 443).

Caddy

Caddy enables HTTP/3 automatically since version 2.6 (September 2022) for any HTTPS site. No configuration needed.

LiteSpeed and OpenLiteSpeed

HTTP/3 has been default since LiteSpeed Enterprise 5.4 (October 2019) and OpenLiteSpeed 1.6 (November 2019). The LiteSpeed Cache plugin for WordPress automatically benefits.

Apache

Apache lacks a stable HTTP/3 module as of 2025. The community project mod_http3 exists but is not production ready. Put nginx, Caddy, LiteSpeed or a CDN in front of Apache for HTTP/3.

How do I verify HTTP/3 is working?

Chrome DevTools: Network tab, right click column header, enable Protocol. Look for h3.
curl: curl --http3 -I https://example.com/ (curl needs to be built against an HTTP/3 enabled library).
HTTP3Check by HTTP/3 Explorer at http3check.net.
Cloudflare Browser Insights shows the percentage of HTTP/3 traffic for sites behind Cloudflare.

Operational concerns with QUIC

UDP blocking: some enterprise firewalls block outbound UDP except DNS. Clients in such networks fall back to TCP plus HTTP/2 automatically. About 3 to 5 percent of clients globally cannot reach QUIC in early 2025.
CPU usage on the server: QUIC runs in user space and historically used more CPU than TCP per connection. Linux 5.13+ introduced UDP GSO and GRO offload that closes the gap. Hardware NICs with UDP segmentation help too.
Logging and analytics: classic TCP based monitoring tools (tcpdump, Wireshark filters) see only encrypted UDP. Use QUIC aware tools (qlog format, qvis visualizer).
NAT timeouts: home routers often time out idle UDP flows in 30 to 60 seconds. QUIC sends PING frames to keep the connection alive.
DDoS amplification: UDP is reflectable. QUIC servers enforce a 3x amplification limit until the client is validated, mitigating amplification attacks.

Common QUIC misconceptions

"QUIC is just HTTP over UDP." QUIC is a general transport. It can carry HTTP/3, DNS over QUIC (RFC 9250, May 2022), SMB over QUIC and any other application protocol.
"QUIC drops packets faster because UDP is unreliable." QUIC implements its own reliable delivery on top of UDP. Packets are retransmitted if lost.
"HTTP/3 requires HTTPS." Correct, QUIC mandates TLS 1.3, there is no plaintext QUIC for HTTP. Self signed certs work in dev.
"QUIC is Google only." QUIC is an open IETF standard with implementations from Cloudflare, Microsoft (msquic), Apple, Facebook (mvfst), Cisco, AWS, Akamai and the curl project (ngtcp2 and quiche).

How does InspectWP help with QUIC and HTTP/3?

InspectWP analyzes the network protocol used for each crawled URL and reports whether the response was delivered over HTTP/1.1, HTTP/2 or HTTP/3 plus QUIC. The report flags sites stuck on HTTP/1.1 as a performance opportunity.

What is QUIC?