Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

HTTP/3 inspection

Gateway supports inspection of HTTP/3 traffic, which uses the QUIC protocol over UDP. HTTP/3 inspection requires traffic to be proxied over UDP.

Gateway applies HTTP policies to HTTP/3 traffic last. For more information, refer to the order of enforcement.

​​ Enable HTTP/3 inspection

To enable HTTP/3 inspection:

  1. In Zero Trust, go to Settings > Network.
  2. Under Firewall, enable Proxy and select UDP.
  3. Enable TLS decryption.

​​ Application limitations

Gateway can inspect HTTP/3 traffic from Microsoft Edge, as well as other HTTP applications, such as cURL.

The following browsers do not support HTTP/3 inspection:

  • Google Chrome
  • Safari
  • Firefox

If the UDP proxy is enabled in Zero Trust, Gateway will force all HTTP/3 traffic in these browsers to fall back to HTTP/2, allowing you to enforce your HTTP policies. If the UDP proxy is not enabled, HTTP/3 traffic will bypass inspection.

​​ Prevent inspection bypass

To prevent HTTP/3 traffic from bypassing inspection, disable QUIC in your users’ browsers.

Google Chrome
  1. Go to chrome://flags
  2. Disable Experimental QUIC protocol.
  3. Relaunch Chrome.
Safari
  1. Go to Safari > Settings > Advanced and enable Show Develop menu in menu bar, then relaunch Safari.
  2. Go to Develop > Experimental Features and disable HTTP/3.
  3. Relaunch Safari.
Firefox
  1. Go to about:config.
  2. If you receive a warning, select Accept the Risk and Continue.
  3. Disable network.http.http3.enable.
  4. Relaunch Firefox.
Microsoft Edge
  1. Go to edge://flags
  2. Disable Experimental QUIC protocol.
  3. Relaunch Edge.