There's no HTTP/4 — here's what actually changed
Every few months someone posts "the new HTTP version just dropped" and it turns out to be a misunderstanding. So let's be precise: as of mid-2026, there is no HTTP/4. The latest version of HTTP is still HTTP/3, standardised by the IETF as RFC 9114 back in June 2022. What is genuinely new right now is adoption — 2026 is the year HTTP/3 stopped being the experimental option behind a feature flag and became the default protocol for a huge share of the web. Cloudflare, Google, Meta, and most major CDNs now negotiate HTTP/3 first wherever the client supports it, and it's crossed roughly a quarter of the top 10 million sites according to W3Techs.
So this post is the deep dive I wish I'd read when HTTP/3 first showed up in my browser's dev tools as a mysterious "h3" in the protocol column. What problem does it actually solve, how does it work under the hood, and why does it matter enough that the entire industry quietly re-plumbed the transport layer of the web to ship it.
If you came here expecting an HTTP/4 announcement — there isn't one yet. What follows is why HTTP/3 is the version worth actually understanding right now.
A quick recap: why HTTP/1.1 and HTTP/2 weren't enough
HTTP/1.1 (1997) sends one request per connection at a time. Browsers worked around this by opening 6 parallel TCP connections per origin — which is exactly the kind of hack that tells you something is structurally wrong.
HTTP/2 (2015) fixed this at the application layer with multiplexing — many logical streams over a single TCP connection, so requests no longer queue behind each other in application code. This was a big win. But it didn't fix the underlying transport: TCP still delivers bytes in strict order. If one packet gets lost, TCP holds up everything behind it until the lost packet is retransmitted and re-ordered — even data belonging to completely unrelated HTTP/2 streams that arrived just fine. This is TCP head-of-line (HOL) blocking, and HTTP/2 has no way around it because it sits on top of TCP.
There's a second problem: TCP and TLS are negotiated separately. Before HTTP/2 can send a single byte of your request, the client and server have to complete a TCP three-way handshake, then a TLS handshake on top of it. That's extra round trips added to every new connection, and on a high-latency mobile link, that adds up to real, felt latency before the page even starts loading.
What is QUIC, and why does HTTP/3 run on it
HTTP/3's actual innovation isn't really in HTTP — it's underneath it, in the transport protocol. Instead of running over TCP, HTTP/3 runs over QUIC (originally a Google protocol, now standardised as RFC 9000), which itself runs over UDP.
That sounds like a downgrade — UDP has no reliability, ordering, or congestion control built in. But that's the point: QUIC re-implements all of that itself, in user space, specifically for HTTP's needs, instead of inheriting decades-old kernel-level TCP semantics. The key design choices:
- Streams are independent at the transport level. Loss on one stream no longer blocks any other stream — this is the actual fix for HOL blocking, done at the layer where it was actually happening.
- TLS 1.3 is built into the handshake, not layered on top of it afterward. Transport and encryption negotiate together in the same flight of packets.
- Connections are identified by a connection ID, not a 4-tuple (source/dest IP and port). This means a connection survives a network change — walk from Wi-Fi to cellular mid-download and QUIC just keeps going, no reconnection needed. This is connection migration.
- Congestion control lives in user space, in the browser or library, so it can be updated without waiting for OS kernel updates — which is normally how TCP congestion control ships.
The handshake: fewer round trips before the first byte
On HTTP/2, opening a fresh connection costs you a TCP handshake (1 round trip) and then a TLS 1.3 handshake (another round trip) before the browser can even send the HTTP request — roughly 2-3 round trips before the server sends back a single byte of your page. On a connection with 150ms latency to the server, that's 300-450ms spent before anything useful happens, every time a new connection opens.
QUIC merges the transport and cryptographic handshakes into a single flight. The very first packet the client sends already carries the TLS ClientHello; the server's response carries both the transport handshake completion and the TLS ServerHello and certificate. Result: 1 round trip to first byte on a fresh connection, and — if the client has connected to this server before and cached session parameters — 0-RTT, meaning the client can send actual HTTP request data in its very first packet, before the handshake even finishes.
0-RTT comes with a real caveat worth knowing: data sent in that very first 0-RTT flight is replayable by a network attacker who captures and resends it, because there's no proof of freshness yet. Servers are expected to only allow 0-RTT for idempotent requests (like a GET), never for anything that changes state (like a POST that transfers money). This is a protocol-level trade-off, not an implementation bug — if you're building anything that terminates QUIC yourself, it's the first security detail to get right.
Head-of-line blocking: the problem QUIC actually fixes
This is the part that's easy to read about abstractly and hard to actually picture, so here's the concrete version. Say a page is loading three resources — a stylesheet, a script, and an image — multiplexed as three streams over one connection.
On HTTP/2 over TCP, if a single packet carrying part of the image gets dropped somewhere on the network, TCP won't hand any of the buffered data — stylesheet, script, or image — up to the application until the lost packet is retransmitted and the byte stream is back in order. The stylesheet and script data might have arrived intact, sitting in the kernel's receive buffer, completely unusable until the one missing piece shows up.
On HTTP/3 over QUIC, loss detection and retransmission happen per-stream. The image stream stalls waiting for its retransmit; the stylesheet and script streams are entirely unaffected and get delivered to the application immediately. This is why HTTP/3's real-world benefit is concentrated on lossy networks — mobile data, congested Wi-Fi, satellite links, anywhere packet loss is a regular occurrence rather than a rare event. On a clean, low-loss wired connection, HTTP/2 and HTTP/3 often perform close to identically, because the HOL blocking problem QUIC solves barely shows up when packets aren't getting dropped in the first place.
Encrypted by default — and what that trades away
There is no plaintext HTTP/3. Unlike HTTP/1.1 and HTTP/2, which can both run unencrypted, HTTP/3 mandates TLS 1.3 as part of the QUIC handshake itself — you cannot have HTTP/3 without encryption, by construction of the protocol, not by convention.
The trade-off is at the network layer. QUIC runs over UDP, and a lot of middleboxes — corporate firewalls, some routers, older NAT implementations — either don't recognise UDP/443 as legitimate traffic or actively rate-limit and block it, sometimes without any error a user would understand. Browsers handle this gracefully: they attempt HTTP/3, and if it doesn't get anywhere quickly, they fall back to HTTP/2 or HTTP/1.1 over TCP automatically. But it's the reason you'll sometimes see a site perform slightly differently on a corporate VPN versus a home connection — one network path allows QUIC through, the other silently doesn't.
There's also a specific abuse vector QUIC has to defend against: UDP is connectionless, so without care, a server could be tricked into sending a large response to a spoofed source IP — a reflection/amplification attack. RFC 9000 requires servers to not send more than roughly 3x the bytes they've received from an unvalidated address, capping the amplification factor an attacker can achieve by spoofing a victim's IP in the initial packet.
Where adoption actually stands in 2026
Every major browser — Chrome, Edge, Firefox, Safari — supports HTTP/3 by default now. On the server side: nginx has QUIC support built in since 1.25+, Caddy enables it automatically with zero configuration, and Cloudflare, Google, Meta, and most large CDNs serve HTTP/3 by default wherever the client negotiates it. Roughly a quarter of the top 10 million sites now serve HTTP/3, per W3Techs — up sharply from single digits just a couple of years ago. IETF working group activity in early 2026 (IETF 125, held in Shenzhen) had more sessions on QUIC/HTTP-adjacent drafts than almost any other transport topic, which is a reasonable proxy for where the standards effort is actually concentrated right now.
Turning it on and checking it's actually working
If you run your own server, enabling HTTP/3 usually isn't a rewrite — it's a config change on top of infrastructure you already have, since it still speaks HTTP semantics on top:
# nginx (1.25+, built with QUIC support)
server {
listen 443 quic reuseport;
listen 443 ssl;
http2 on;
ssl_certificate /etc/ssl/certs/example.crt;
ssl_certificate_key /etc/ssl/private/example.key;
# advertise HTTP/3 support to clients that connected over TCP first
add_header Alt-Svc 'h3=":443"; ma=86400';
}Caddy needs essentially nothing — HTTP/3 is on by default for any site served over HTTPS. Cloudflare and most major CDNs expose it as a single dashboard toggle.
To check whether a connection actually used HTTP/3, curl needs to be built against a QUIC-capable TLS library:
curl --http3 -I https://example.com
# HTTP/3 200
# ...Or just open your browser's dev tools, go to the Network tab, right-click the column headers, and add the "Protocol" column — connections served over HTTP/3 show up as h3.
What's next: the drafts being worked on right now
HTTP/3 itself is finished and stable, but there's active work extending what QUIC can do:
- Multipath QUIC (MP-QUIC) — lets a single QUIC connection use multiple network paths simultaneously (say, Wi-Fi and cellular at once), for either redundancy or combined throughput. Directly useful for mobile devices with more than one radio.
- WebTransport over HTTP/3 — a browser API for low-latency, bidirectional client-server communication that isn't shaped like a request/response HTTP exchange. Think of it as a modern, QUIC-native alternative to WebSockets, useful for gaming, live collaboration, and real-time media.
- Oblivious HTTP (OHTTP) — routes requests through an intermediary relay so the server can't link a request to the client's IP address, aimed at privacy-sensitive use cases like telemetry or DNS queries.
None of these are a new HTTP version — they're extensions and companion specs building on the QUIC/HTTP-3 foundation, which is itself a sign of how much runway the protocol has before anyone needs to seriously talk about an HTTP/4.
Should you actually care, as a developer
If you're building or operating anything network-facing, the practical takeaways are narrow but real:
- Enable it if your stack supports it — it's close to a free win for users on mobile networks and anywhere packet loss is common, and it degrades gracefully for everyone else via automatic fallback.
- Don't expect dramatic gains on fast, low-loss wired connections — that's not where HTTP/3's advantage shows up.
- If you're terminating QUIC yourself (rather than behind a CDN), get familiar with 0-RTT replay risk and only allow it for idempotent requests.
- If you're debugging weird performance differences between networks — corporate VPN vs. home Wi-Fi, for instance — check whether one path is silently blocking UDP/443 and forcing fallback to HTTP/2.
Key takeaways
There's no HTTP/4, and there doesn't need to be one yet — HTTP/3 solved the problem that actually mattered: transport-level head-of-line blocking, plus folding TLS into the handshake to cut connection setup latency. What's actually new in 2026 isn't the protocol, it's that the industry finished the multi-year migration and HTTP/3 quietly became the default rather than the experiment. The interesting work happening right now — Multipath QUIC, WebTransport, Oblivious HTTP — is all building on top of that foundation rather than replacing it.