Add this behavior to support secure HTTP/3 connections between requesting clients and the Akamai edge.

📘
This behavior is currently in beta and is only available to select customers. Talk to your account team to see if you can participate in the beta program.

How it works

HTTP/3 retains the HTTP/1.1 and HTTP/2 concepts, but it moves away from the traditional transmission control protocol (TCP) transport layer. Instead, HTTP/3 uses the IETF QUIC protocol that handles streams by itself. This supports improved performance and a faster connection setup.

Before you begin

HTTP/3 requires a secure (HTTPS) connection between the requesting client and the Akamai edge. You need to create a Domain Validation (DV), Organization Validation (OV), or a third-party certificate and assign it to a property hostname in your property. It needs to be configured to support the following:

SNI-only. You apply it during the select network settings phase when creating a new certificate. This option is default enabled in a new Standard TLS certificate, but it can be toggled for Enhanced TLS. Ensure it’s enabled. If you don’t see it when setting up your certificate, you may need to have it added to your contract. Reach out to your Akamai account team for help.
Transport layer security (TLS) 1.3. If you select Standard TLS or Enhanced TLS when creating a new certificate, this is automatically applied.

📘
Default certificates and VIP-deployed certificates aren’t supported with the beta release. You need to manually create a certificate using Akamai’s Certificate Provisioning System (CPS) and apply it to your edge hostname in Property Manager.

Verify your certificate

You can take a look at a current certificate to make sure it can support HTTP/3.

In Akamai Control Center, select ☰ > CDN > Certificates.
Locate the applicable certificate. In the Actions column, select … > View and Edit Certificate.
Review the Select Network Settings options and ensure that SNI-only is On. If it isn't, you need to create a new certificate. These options can’t be modified.
Return to the landing page.

👍
If you’re limited on the number of certificates you can create, and this certificate isn’t active in a property hostname, select … > Delete to remove the certificate.

Click … > View and Edit Deployment settings for the certificate.
In the SNI Advanced Configuration panel, click Edit.
In the TLS Protocol Versions options, ensure that either of the following options are selected:
- Enable all TLS versions.
- Disable specific TLS versions. If you enable this, select each version you want left out, but ensure that TLS 1.3 is deselected.
If you made a change here, click Submit. If you didn't need to change anything, click Cancel.

Implementation

Add the behavior and set the Enable slider to On. You can add it to these rules in your property:

🚧
You can only have one instance of the HTTP/3 behavior in your property.

The Default Rule. All requests processed by this property will support HTTP/3 for transfer.
A custom rule. You can add it in a custom rule, but you need to use specific match criteria:

Match	Description
Hostname	Include one or more hostnames that have been set up to use a compatible certificate, as discussed above. All requests that use the hostnames will use HTTP/3 for transfer.
Percentage of Clients	Set a percentage of the HTTP/3 requests that should be honored. This is considered a temporary implementation. For example, you could initially use these match criteria to limit HTTP/3 traffic to test it, or if you're looking to slowly roll out support. Then, you could progressively edit your property to increase this percentage.
Hostname and Percentage of Clients	Combine the two options into a single rule: Include one or more hostnames that have been set up to use a compatible certificate and set a percentage of the HTTP/3 requests to be honored.

Match

Description

Hostname

Include one or more hostnames that have been set up to use a compatible certificate, as discussed above. All requests that use the hostnames will use HTTP/3 for transfer.

Percentage of Clients

Set a percentage of the HTTP/3 requests that should be honored. This is considered a temporary implementation. For example, you could initially use these match criteria to limit HTTP/3 traffic to test it, or if you're looking to slowly roll out support. Then, you could progressively edit your property to increase this percentage.

Hostname and Percentage of Clients

Combine the two options into a single rule: Include one or more hostnames that have been set up to use a compatible certificate and set a percentage of the HTTP/3 requests to be honored.

Customize the max-age in the Alt-Svc header

When you include the HTTP/3 behavior, an Alternative Services (Alt-Svc) header is automatically generated for requests. The header presets a max-age (ma) of 93600 seconds. You can change it by adding the Alt-Svc Header behavior to a rule in your property.

Caveats and known issues

Consider the following points when adding HTTP/3:

The HTTP/3 behavior isn't compatible with some security products. If you're using any of these Akamai products in your delivery configuration, you can't include the HTTP/3 behavior in your property:
- Account Protector.
- Bot Manager Premier. By default, Bot Manager Premier uses TLS fingerprinting when detecting keys, and a TLS fingerprint isn't generated for HTTP/3 traffic. If you use Bot Manager Premier and you'd like to test HTTP/3 in your environment, talk to your Akamai account team.
Keep HTTP/2. If you want to accept HTTP/2 requests, the HTTP/2 Support behavior needs to be in your property. HTTP/3 does not replace HTTP/2.
HTTP/3 supports connection reuse. This lets a requesting client use an open connection for any domain included in your certificate, even if that domain points to a different origin. Most browsers will perform a DNS query to ensure there's an overlap in the domain's IP before using the connection. If you’re using multiple certificates—specifically both Standard TLS and Enhanced TLS—don't include the same domain across them. If you do, an HTTP request to the domain that requires Enhanced TLS could be resolved using the less-secure Standard TLS certificate, and vice-versa.

📘
As a best practice, you shouldn’t use the same domain across multiple certificates, regardless if you’re using HTTP/3. This same issue can occur with HTTP/2 Support, because it uses connection reuse, too.

HTTP/3 traffic in other domains in the certificate. If a requesting client doesn’t respect Alt-Svc headers and tries HTTP/3 without the HTTP/3 behavior, an HTTP/3 connection will still be opened if the certificate used in the request has QUIC enabled. This will change after beta when HTTP/3 connections will only be possible for domains if the HTTP/3 behavior is enabled in your property.
Adaptive Acceleration's Automatic Server Push isn't supported with HTTP/3. Chromium-based browsers have dropped support for the Server Push functionality that's used by the Adaptive Acceleration feature in an Akamai Ion property. If the connecting protocol is HTTP/3, Adaptive Acceleration will automatically preload the resources (.css, and .js) rather than pushing them. So, there's nothing you need to do. However, when you add the HTTP/3 behavior to an Ion property that uses Adaptive Acceleration, you'll see a warning message that discusses this.
The QUIC Support behavior isn’t supported. If you have this behavior in your property, you’ll see a warning message. This combination will be deprecated soon. Talk to your account representative about your options, including adding the HTTP/3 behavior to your property.