http3 post

Author: orez-rj

_posts/2025-08-10-http-3.md

@@ -0,0 +1,160 @@
+---
+title: "HTTP/3 for Backend Developers (and Curious Humans)"
+classes: wide
+header:
+  teaser: /assets/images/posts/http3/teaser.png
+  overlay_image: /assets/images/posts/http3/teaser.png
+  overlay_filter: 0.4
+ribbon: DarkSlateGray
+excerpt: "A backend-friendly introduction to HTTP/3, how it differs from HTTP/2, and why QUIC is changing the rules of the web"
+description: "From HTTP/1.1 to HTTP/3 - why QUIC matters for backend performance, security, and user experience"
+categories:
+  - Web Performance
+  - Backend
+  - Blog
+tags:
+  - HTTP3
+  - HTTP2
+  - QUIC
+  - FastAPI
+  - Performance
+  - Security
+  - Networking
+toc: true
+toc_sticky: true
+toc_label: "200 OK: Meet HTTP/3.0"
+toc_icon: "bolt"
+---
+
+# EHLO from HTTP/3.0
+
+Yes, I know **EHLO** is an SMTP command, not HTTP - but I couldn’t resist borrowing it as a geeky “hello.”  
+Think of it as my way of introducing a protocol with another protocol’s greeting.  
+
+Now that we’ve broken the ice - HTTP/3 is here, and while it still speaks “HTTP,” it drives on a completely different highway.  
+For backend developers, this is the first time in decades that the transport layer underneath HTTP is changing - and it’s a big deal for both **performance** and **security**.  
+And don’t worry, if you’re not a backend developer, I promise to keep it human-friendly ;)
+
+
+## From HTTP/1.1 → HTTP/2 → HTTP/3
+
+Before we jump into QUIC, let’s quickly rewind.
+
+**HTTP/1.1 (1997)**  
+- One request per TCP connection  
+- Browsers opened multiple connections to speed things up  
+- Head-of-line blocking was a nightmare (one slow resource could block others)
+
+**HTTP/2 (2015)**  
+- Multiplexing: multiple streams over a single TCP connection  
+- Header compression (HPACK)  
+- Server push  
+- BUT… still TCP, still suffers from TCP-level head-of-line blocking.
+
+**Why that’s a problem:** TCP delivers packets in order. If one packet is lost, everything behind it waits, even if it’s unrelated.
+
+## Why HTTP/3 Exists
+
+Mobile users switch networks all the time. One moment they’re on Wi-Fi, the next they’re on 5G - and TCP hates that.  
+Every network change = connection drop = new handshake.
+
+HTTP/3 fixes this by ditching TCP entirely and running on **QUIC** (Quick UDP Internet Connection), a modern transport protocol built on **UDP**, designed to improve the speed and reliability of web connections.
+
+## QUIC in a Nutshell
+
+If TCP is like a polite postal service (guaranteed delivery, in order, with signatures), QUIC is like a private courier with GPS tracking, encryption, and a motorcycle.
+
+**Key QUIC benefits:**
+- **Runs over UDP** → avoids TCP’s head-of-line blocking
+- **TLS 1.3 built-in** → always encrypted, faster handshake
+- **Connection migration** → keeps working when your IP changes
+- **0-RTT handshakes** → faster page loads, especially after reconnects
+- **Better congestion control** for flaky networks
+
+⚠️ **Note:** QUIC doesn’t make lost data magically appear.  
+If a missing packet belongs to a specific stream, that stream must still wait for it before it can continue (e.g., you can’t render half an HTML file).  
+The benefit is that **other streams keep flowing** instead of getting stuck behind the delay - something TCP can’t do because all streams share the same ordered delivery queue.
+
+![Stream Example](/assets/images/posts/http3/stream-example.png)
+
+## How HTTP/3 Stacks Up
+
+```plaintext
+HTTP/1.1  -->  TCP  -->  TLS (optional)  --> Internet
+HTTP/2    -->  TCP  -->  TLS (usually)   --> Internet
+HTTP/3    -->  QUIC -->  UDP + TLS 1.3   --> Internet
+````
+
+**Visual flow:**
+
+![HTTP Evolution Diagram](/assets/images/posts/http3/flow-diagram.png)
+
+## Backend Developer View
+
+**Your application logic?** Probably won’t change.
+**Your infrastructure?** That’s where you’ll notice the difference.
+
+* **Server/CDN support:** nginx, Caddy, Cloudflare, AWS CloudFront, Fastly already support HTTP/3
+* **Reverse proxy configs:** may need new ports, certs, and UDP forwarding
+* **Debugging:** trickier, since QUIC encrypts transport layer
+* **Fallback:** clients that don’t speak HTTP/3 will use HTTP/2 or HTTP/1.1
+
+## Security Gains
+
+With HTTP/3, **TLS 1.3 is non-optional** - no “accidentally unencrypted” requests.
+Shorter handshakes = less time for attackers to interfere.
+Stronger forward secrecy and faster recovery after connection drops.
+
+## Performance Gains
+
+* **Lower latency** on initial connections
+* **Smooth performance on flaky mobile networks**
+* **Multiplexed streams without TCP-level blocking**
+* Faster repeated connections with **0-RTT**
+
+## Example: FastAPI with HTTP/3
+
+You can run a FastAPI app with HTTP/3 using `hypercorn`:
+
+```bash
+pip install hypercorn[http3] fastapi
+```
+
+**`app.py`**
+
+```python
+from fastapi import FastAPI
+
+app = FastAPI()
+
+@app.get("/")
+async def root():
+    return {"message": "Hello HTTP/3"}
+```
+
+Run with:
+
+```bash
+hypercorn app:app \
+  --bind localhost:443 \
+  --certfile cert.pem \
+  --keyfile key.pem \
+  --quic-bind localhost:4433
+```
+
+Visit with a browser that supports HTTP/3 (Chrome, Firefox, Edge) and check in dev tools → Network → Protocol.
+
+## Who’s Already Using HTTP/3
+
+* Google Search & YouTube
+* Facebook & Instagram
+* Cloudflare-powered sites
+* Most major CDNs
+
+## Final Thoughts
+
+HTTP/3 isn’t just “HTTP/2 but faster.”
+It’s a new transport layer designed for **a mobile-first, encryption-by-default web**.
+Whether you’re a backend developer, a network engineer, or just someone tired of loading spinners - HTTP/3 is worth paying attention to.
+
+Because in the new web, speed and security are not optional - they’re the starting point.