HTTP/3 = HTTP semantics over QUIC (UDP-based transport). Major sites (Google, Cloudflare, Facebook) serve HTTP/3 today. The benefits are real on mobile and lossy links — but operational maturity varies, and adoption requires planning.
Where you'll see wins
Mobile users on switching networks (Wi-Fi ↔ LTE): connection migration eliminates re-handshake. Lossy links (high RTT, packet loss): per-stream retransmit avoids HOL blocking. New connections: 0-RTT resumption saves 1 RTT for returning visitors.
Where it's neutral or worse
Wired desktop, low-loss network: TCP+TLS 1.3 is already excellent; HTTP/3 wins are marginal. Server CPU: QUIC encryption is per-packet, ~10-15% more CPU than TCP+TLS. UDP rate limits: some middleboxes still drop UDP — fall back to TCP if HTTP/3 fails.
Enabling HTTP/3
Cloudflare, Fastly, AWS Cloudfront — toggle in dashboard. NGINX 1.25+ with quictls. Caddy enables HTTP/3 by default. Node.js native HTTP/3 via h3-js. Origin servers don't need HTTP/3; the CDN handles it at the edge.
Alt-Svc header
Server signals HTTP/3 availability via Alt-Svc: h3=':443'; ma=86400. Client tries HTTP/3 on next request, falls back to HTTP/2 if blocked. First request is always HTTP/2; subsequent use HTTP/3. ma = how long client caches the signal.
Operational gotchas
Existing TCP-only DDoS protection won't see HTTP/3 traffic — make sure your provider handles UDP. Wireshark dissection of HTTP/3 is harder (encrypted from packet 0). Some corporate firewalls block UDP/443 — clients will silently fall back. Monitor HTTP/3 adoption% as a separate metric.