Or Ezra

Or Ezra

Security-curious backend dev

EHLO from HTTP/3.0

Yes, I know EHLO is an SMTP command, not HTTP - but I couldn’t resist borrowing it as a geeky “hello.”
Think of it as my way of introducing a protocol with another protocol’s greeting.

Now that we’ve broken the ice - HTTP/3 is here, and while it still speaks “HTTP,” it drives on a completely different highway.
For backend developers, this is the first time in decades that the transport layer underneath HTTP is changing - and it’s a big deal for both performance and security.
And don’t worry, if you’re not a backend developer, I promise to keep it human-friendly ;)

From HTTP/1.1 → HTTP/2 → HTTP/3

Before we jump into QUIC, let’s quickly rewind.

HTTP/1.1 (1997)

  • One request per TCP connection
  • Browsers opened multiple connections to speed things up
  • Head-of-line blocking was a nightmare (one slow resource could block others)

HTTP/2 (2015)

  • Multiplexing: multiple streams over a single TCP connection
  • Header compression (HPACK)
  • Server push
  • BUT… still TCP, still suffers from TCP-level head-of-line blocking.

Why that’s a problem: TCP delivers packets in order. If one packet is lost, everything behind it waits, even if it’s unrelated.

Why HTTP/3 Exists

Mobile users switch networks all the time. One moment they’re on Wi-Fi, the next they’re on 5G - and TCP hates that.
Every network change = connection drop = new handshake.

HTTP/3 fixes this by ditching TCP entirely and running on QUIC (Quick UDP Internet Connection), a modern transport protocol built on UDP, designed to improve the speed and reliability of web connections.

QUIC in a Nutshell

If TCP is like a polite postal service (guaranteed delivery, in order, with signatures), QUIC is like a private courier with GPS tracking, encryption, and a motorcycle.

Key QUIC benefits:

  • Runs over UDP → avoids TCP’s head-of-line blocking
  • TLS 1.3 built-in → always encrypted, faster handshake
  • Connection migration → keeps working when your IP changes
  • 0-RTT handshakes → faster page loads, especially after reconnects
  • Better congestion control for flaky networks

⚠️ Note: QUIC doesn’t make lost data magically appear.
If a missing packet belongs to a specific stream, that stream must still wait for it before it can continue (e.g., you can’t render half an HTML file).
The benefit is that other streams keep flowing instead of getting stuck behind the delay - something TCP can’t do because all streams share the same ordered delivery queue.

Stream Example

How HTTP/3 Stacks Up

HTTP/1.1  -->  TCP  -->  TLS (optional)  --> Internet
HTTP/2    -->  TCP  -->  TLS (usually)   --> Internet
HTTP/3    -->  QUIC -->  UDP + TLS 1.3   --> Internet

Visual flow:

HTTP Evolution Diagram

Backend Developer View

Your application logic? Probably won’t change. Your infrastructure? That’s where you’ll notice the difference.

  • Server/CDN support: nginx, Caddy, Cloudflare, AWS CloudFront, Fastly already support HTTP/3
  • Reverse proxy configs: may need new ports, certs, and UDP forwarding
  • Debugging: trickier, since QUIC encrypts transport layer
  • Fallback: clients that don’t speak HTTP/3 will use HTTP/2 or HTTP/1.1

Security Gains

With HTTP/3, TLS 1.3 is non-optional - no “accidentally unencrypted” requests. Shorter handshakes = less time for attackers to interfere. Stronger forward secrecy and faster recovery after connection drops.

Performance Gains

  • Lower latency on initial connections
  • Smooth performance on flaky mobile networks
  • Multiplexed streams without TCP-level blocking
  • Faster repeated connections with 0-RTT

Example: FastAPI with HTTP/3

You can run a FastAPI app with HTTP/3 using hypercorn:

pip install hypercorn[http3] fastapi

app.py

from fastapi import FastAPI

app = FastAPI()

@app.get("/")
async def root():
    return {"message": "Hello HTTP/3"}

Run with:

hypercorn app:app \
  --bind localhost:443 \
  --certfile cert.pem \
  --keyfile key.pem \
  --quic-bind localhost:4433

Visit with a browser that supports HTTP/3 (Chrome, Firefox, Edge) and check in dev tools → Network → Protocol.

Who’s Already Using HTTP/3

  • Google Search & YouTube
  • Facebook & Instagram
  • Cloudflare-powered sites
  • Most major CDNs

Final Thoughts

HTTP/3 isn’t just “HTTP/2 but faster.” It’s a new transport layer designed for a mobile-first, encryption-by-default web. Whether you’re a backend developer, a network engineer, or just someone tired of loading spinners - HTTP/3 is worth paying attention to.

Because in the new web, speed and security are not optional - they’re the starting point.