HTTP/3 inspection
Gateway supports inspection of HTTP/3 traffic, which uses the QUIC protocol over UDP. HTTP/3 inspection requires traffic to be proxied over UDP.
Gateway applies HTTP policies to HTTP/3 traffic last. For more information, refer to the order of enforcement.
Enable HTTP/3 inspection
To enable HTTP/3 inspection:
- In Zero Trust, go to Settings > Network.
- Under Firewall, enable Proxy and select UDP.
- Enable TLS decryption.
Application limitations
Gateway can inspect HTTP/3 traffic from Microsoft Edge, as well as other HTTP applications, such as cURL.
The following browsers do not support HTTP/3 inspection:
- Google Chrome
- Safari
- Firefox
If the UDP proxy is enabled in Zero Trust, Gateway will force all HTTP/3 traffic in these browsers to fall back to HTTP/2, allowing you to enforce your HTTP policies. If the UDP proxy is not enabled, HTTP/3 traffic will bypass inspection.
Prevent inspection bypass
To prevent HTTP/3 traffic from bypassing inspection, disable QUIC in your users’ browsers.
Google Chrome
- Go to
chrome://flags
- Disable Experimental QUIC protocol.
- Relaunch Chrome.
Safari
- Go to Safari > Settings > Advanced and enable Show Develop menu in menu bar, then relaunch Safari.
- Go to Develop > Experimental Features and disable HTTP/3.
- Relaunch Safari.
Firefox
- Go to
about:config
. - If you receive a warning, select Accept the Risk and Continue.
- Disable network.http.http3.enable.
- Relaunch Firefox.
Microsoft Edge
- Go to
edge://flags
- Disable Experimental QUIC protocol.
- Relaunch Edge.