Under the Hood: How HTTP/2 and HTTP/3 Differ in Production

An in-depth technical explainer on how HTTP/2 and HTTP/3 differ, exploring TCP head-of-line blocking, QUIC over UDP, connection migration, and real-world performance impacts.

Imagine you are running a logistics company delivering cargo across a single-lane bridge.

Under the old rules of the road (HTTP/1.1), you could only send one truck across the bridge at a time. If the truck carrying the database payload broke down or got stuck in traffic, every other truck carrying your CSS, JavaScript, and images had to wait on the highway behind it. This is what we call Head-of-Line (HoL) blocking at the application layer.

To fix this, we upgraded the bridge (HTTP/2). We invented a magical shrink-ray: we chopped all of our cargo up into tiny, standardized crates (frames), mixed them together, and sent them across the single bridge simultaneously. If a crate for your JavaScript got delayed, the crates for your images could still slip past.

But there was a catch. The bridge itself was built on a single, rigid concrete foundation called TCP (Transmission Control Protocol). If a single crate fell off a truck and was lost, the entire bridge had to close. The guard at the toll booth stopped all traffic, refusing to let any cargo through until the lost crate was recovered and retransmitted.

HTTP/3 changes the physical infrastructure entirely. Instead of a single concrete bridge, we build a fleet of independent, highly agile hovercrafts running on a wide-open river called UDP (User Datagram Protocol). Each hovercraft carries its own stream of cargo. If hovercraft #3 crashes and loses its payload, hovercrafts #1, #2, and #4 keep flying right past it to the destination. No pauses, no global traffic jams, and no single point of congestion.

The Simple Version: How HTTP/2 and HTTP/3 Differ

At a high level, the primary way how HTTP/2 and HTTP/3 differ comes down to the underlying transport protocol they use to move data across the network.

HTTP/2 relies on TCP. To guarantee that data arrives reliably and in the exact order it was sent, TCP treats the entire connection as a single, sequential stream of bytes. If a packet is lost in transit, TCP halts all processing until that packet is retransmitted and received. This means a single dropped packet stalls all multiplexed streams on that connection.

HTTP/3 abandons TCP entirely in favor of QUIC (Quick UDP Internet Connections), a transport layer protocol built on top of UDP. UDP is stateless and fast; it doesn't care about order or reliability out of the box. QUIC implements its own reliability and congestion control inside UDP, but it does so on a per-stream basis.

If you request ten images over HTTP/3 and the packet containing the second image is dropped, the other nine images will still render on the user's screen without a millisecond of delay.

What's Actually Happening Under the Hood

To understand why this shift matters, we have to look at the mechanics of the network stack.

1. The TCP Head-of-Line Blocking Problem

In HTTP/2, we multiplex multiple logical streams over a single physical TCP connection. The application layer (HTTP/2) is fully aware of these individual streams, but the transport layer (TCP) is completely blind to them. TCP only sees a continuous stream of packets that must be delivered in strict sequential order.

Because of this, a packet loss rate of just 1% on a lossy cellular network can make HTTP/2 perform significantly worse than old-school HTTP/1.1 with multiple parallel TCP connections.

2. How QUIC Resolves the Stall

QUIC shifts the responsibility of stream management from the application layer down to the transport layer. Because QUIC understands streams natively, it can isolate packet loss to the specific stream that lost the packet.

3. Connection Migration: The IP-Address Switch

With TCP, a connection is uniquely identified by a 4-tuple: (Source IP, Source Port, Destination IP, Destination Port).

If a user walks out of their house, their phone transitions from Wi-Fi to a 5G cellular network. Their IP address changes. This change breaks the 4-tuple, instantly killing the TCP connection. The browser must perform a new TCP handshake, negotiate TLS, and re-establish the HTTP/2 session, causing a visible freeze in the app.

QUIC solves this by introducing a Connection ID (CID). The CID is a unique identifier assigned to the connection that is independent of the IP address or port.

When your phone switches networks, it sends a QUIC packet from the new cellular IP address containing the exact same CID. The server validates the packet's cryptographic signature, associates it with the existing session, and continues streaming data without a single dropped frame.

Simulating the Difference in Code

To visualize how these mechanics impact delivery times under packet loss, let's look at a TypeScript simulation.

This runnable script models how a client processes frames under both HTTP/2 (TCP-bound) and HTTP/3 (QUIC-bound) when network packets are dropped. If you are handling high-throughput operations or complex async patterns, understanding this level of network delivery is critical (for more on optimization, see our guide on advanced TypeScript async patterns).

typescript

type Frame = {
  streamId: number;
  frameIndex: number;
  data: string;
};
 
type Packet = {
  sequenceNumber: number;
  frame: Frame;
  isLost: boolean;
};
 
class NetworkSimulator {
  private packets: Packet[] = [];
  private sequenceCounter = 0;
 
  addFrame(streamId: number, frameIndex: number, data: string, shouldLose: boolean = false) {
    this.packets.push({
      sequenceNumber: this.sequenceCounter++,
      frame: { streamId, frameIndex, data },
      isLost: shouldLose,
    });
  }
 
  getPackets(): Packet[] {
    return [...this.packets];
  }
}
 
// HTTP/2 Simulation: TCP enforces strict sequential packet processing
function simulateHTTP2(packets: Packet[]) {
  console.log("\n--- Starting HTTP/2 (TCP) Simulation ---");
  const processedStreams: Record<number, string[]> = {};
  let nextExpectedSequence = 0;
  const buffer: Map<number, Packet> = new Map();
 
  const render = (packet: Packet) => {
    const { streamId, data } = packet.frame;
    if (!processedStreams[streamId]) processedStreams[streamId] = [];
    processedStreams[streamId].push(data);
    console.log(`[HTTP/2] Processed Stream ${streamId}: "${data}"`);
  };
 
  for (const packet of packets) {
    if (packet.isLost) {
      console.log(`[Network] Packet #${packet.sequenceNumber} (Stream ${packet.frame.streamId}) was LOST.`);
      // In a real TCP stack, everything stops here until retransmission completes.
      // We buffer subsequent packets but cannot process them.
      continue;
    }
 
    if (packet.sequenceNumber === nextExpectedSequence) {
      render(packet);
      nextExpectedSequence++;
 
      // Drain buffer if the missing packet was resolved
      while (buffer.has(nextExpectedSequence)) {
        const bufferedPacket = buffer.get(nextExpectedSequence)!;
        render(bufferedPacket);
        buffer.delete(nextExpectedSequence);
        nextExpectedSequence++;
      }
    } else {
      console.log(`[TCP Buffer] Holding Packet #${packet.sequenceNumber} (Stream ${packet.frame.streamId}) due to Head-of-Line blocking.`);
      buffer.set(packet.sequenceNumber, packet);
    }
  }
}
 
// HTTP/3 Simulation: QUIC processes streams independently
function simulateHTTP3(packets: Packet[]) {
  console.log("\n--- Starting HTTP/3 (QUIC) Simulation ---");
  const processedStreams: Record<number, string[]> = {};
  const streamBuffers: Record<number, Map<number, Packet>> = {};
  const nextExpectedFrameInStream: Record<number, number> = {};
 
  for (const packet of packets) {
    const { streamId, frameIndex, data } = packet.frame;
 
    if (!processedStreams[streamId]) {
      processedStreams[streamId] = [];
      streamBuffers[streamId] = new Map();
      nextExpectedFrameInStream[streamId] = 0;
    }
 
    if (packet.isLost) {
      console.log(`[Network] Packet #${packet.sequenceNumber} (Stream ${streamId}, Frame ${frameIndex}) was LOST.`);
      continue;
    }
 
    const render = (p: Packet) => {
      processedStreams[streamId].push(p.frame.data);
      console.log(`[HTTP/3] Processed Stream ${streamId}: "${p.frame.data}"`);
    };
 
    if (frameIndex === nextExpectedFrameInStream[streamId]) {
      render(packet);
      nextExpectedFrameInStream[streamId]++;
 
      // Process buffered frames for THIS stream only
      let nextFrame = nextExpectedFrameInStream[streamId];
      const buffer = streamBuffers[streamId];
      while (buffer.has(nextFrame)) {
        const bufferedPacket = buffer.get(nextFrame)!;
        render(bufferedPacket);
        buffer.delete(nextFrame);
        nextFrame++;
        nextExpectedFrameInStream[streamId] = nextFrame;
      }
    } else {
      console.log(`[QUIC Buffer] Stream ${streamId} stalled. Buffering Frame ${frameIndex}.`);
      streamBuffers[streamId].set(frameIndex, packet);
    }
  }
}
 
// Execution
const sim = new NetworkSimulator();
// Stream 1: Critical CSS
sim.addFrame(1, 0, "CSS-Part1");
sim.addFrame(1, 1, "CSS-Part2");
 
// Stream 2: Analytics JS (We simulate packet loss on the first frame of this stream)
sim.addFrame(2, 0, "JS-Part1", true); // LOST PACKET
sim.addFrame(2, 1, "JS-Part2");
 
// Stream 3: Hero Image
sim.addFrame(3, 0, "HeroImage-Part1");
 
const packets = sim.getPackets();
simulateHTTP2(packets);
simulateHTTP3(packets);

Output Analysis

When you run this simulation, you will see a stark difference in output:

text

--- Starting HTTP/2 (TCP) Simulation ---
[HTTP/2] Processed Stream 1: "CSS-Part1"
[HTTP/2] Processed Stream 1: "CSS-Part2"
[Network] Packet #2 (Stream 2) was LOST.
[TCP Buffer] Holding Packet #3 (Stream 2) due to Head-of-Line blocking.
[TCP Buffer] Holding Packet #4 (Stream 3) due to Head-of-Line blocking.
 
--- Starting HTTP/3 (QUIC) Simulation ---
[HTTP/3] Processed Stream 1: "CSS-Part1"
[HTTP/3] Processed Stream 1: "CSS-Part2"
[Network] Packet #2 (Stream 2, Frame 0) was LOST.
[QUIC Buffer] Stream 2 stalled. Buffering Frame 1.
[HTTP/3] Processed Stream 3: "HeroImage-Part1"

In the HTTP/2 simulation, Stream 3 (the Hero Image) is blocked from rendering because Stream 2 lost a packet. In the HTTP/3 simulation, Stream 3 renders immediately. The packet loss in Stream 2 is completely isolated.

Why It Matters for Your Code

Understanding how HTTP/2 and HTTP/3 differ is not just academic network theory; it directly dictates how you should architect your frontend assets, manage API design, and configure your infrastructure.

The Myth of Asset Over-Bundling

In the HTTP/1.1 era, we bundled our entire application into a single massive main.js file to avoid the overhead of establishing multiple TCP connections.

When HTTP/2 arrived, we were told we could stop bundling because multiplexing allowed us to send hundreds of small files over a single connection. However, as we saw in our simulation, sending 100 unbundled files over HTTP/2 on a shaky mobile network is highly prone to TCP head-of-line blocking.

HTTP/3 finally makes unbundling viable in production. Because packet loss is isolated to individual streams, you can serve highly granular, unbundled modules using modern tools like Vite without worrying about a single dropped packet stalling your entire runtime initialization. For a deeper dive into modern bundler migrations, see our coverage of migrating to Vite 8.

API Performance and Security

When designing real-time, high-throughput APIs, the transport layer defines your latency ceiling. HTTP/3 integrates TLS 1.3 directly into the QUIC handshake.

While TCP + TLS 1.2 required 3 round-trips (RTT) to establish a secure connection before a single byte of HTTP data could be sent, HTTP/3 establishes both the transport connection and the cryptographic keys in a single RTT.

If a client has connected to your server before, QUIC supports 0-RTT resumption, allowing the client to send encrypted HTTP requests in the very first packet. This is a massive win for mobile applications and APIs with frequent, short-lived connections.

3 Things You Can Do Differently Now

Now that you understand the structural differences between HTTP/2 and HTTP/3, here are three actionable changes you can make to your systems today:

1. Configure the `Alt-Svc` Header on Your Reverse Proxies

HTTP/3 runs over UDP, but browsers don't know if your server supports UDP until they connect via TCP first. To bootstrap an HTTP/3 connection, your web server must advertise its HTTP/3 support using the Alt-Svc (Alternative Services) response header.

Ensure your Nginx, Caddy, or Cloudflare configuration injects this header:

http

Alt-Svc: h3=":443"; ma=86400

This tells the browser: "For the next 24 hours (86,400 seconds), you can reach me over HTTP/3 on port 443." Subsequent requests will bypass TCP negotiation entirely and jump straight to QUIC.

2. Open UDP Port 443 on Your Firewalls and Load Balancers

A common production failure during HTTP/3 migration is failing to open UDP traffic. Most traditional infrastructure teams default to only opening TCP port 443.

If UDP port 443 is blocked by a firewall or load balancer, the browser will attempt to connect via HTTP/3, timeout, and silently fall back to HTTP/2. While your application won't break, you lose all the performance benefits of QUIC without realizing it.

Always audit your security groups and firewall rules to explicitly allow:

Inbound/Outbound Protocol: UDP
Port: 443

For more security best practices, consult our production-grade backend API security checklist.

3. Adjust Your Bundling Strategy for Mobile-First Audiences

If your analytics show a significant portion of your traffic comes from mobile web browsers or users in regions with high packet loss (cellular networks), re-evaluate your asset splitting.

Instead of compiling your entire app into a single 2MB monolithic chunk, split your code by route or feature flag. With HTTP/3, loading 15 smaller, targeted JavaScript files will result in a faster Time-to-Interactive (TTI) on shaky connections than loading one massive file, because dropped packets on non-critical chunks won't block the execution of critical runtime files.