cloudflare · maxvp · Nov 21, 2025 · Nov 20, 2025 · Nov 20, 2025
@@ -7,13 +7,15 @@ sidebar:
 
 import { Details } from "~/components";
 
-Gateway supports inspection of HTTP/3 traffic, which uses the QUIC protocol over UDP. HTTP/3 inspection requires a [user-side certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) to be deployed and traffic to be proxied over UDP with [TLS version 1.3](/cloudflare-one/traffic-policies/http-policies/tls-decryption/).
+Gateway supports inspection of HTTP/3 traffic, which uses the QUIC protocol over UDP.
 
 Gateway applies HTTP policies to HTTP/3 traffic last. For more information, refer to the [order of enforcement](/cloudflare-one/traffic-policies/order-of-enforcement/#http3-traffic).
 
-## Enable HTTP/3 inspection
+## Turn on HTTP/3 inspection
 
-To enable HTTP/3 inspection, turn on the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/) for UDP:
+Before you can inspect any HTTPS traffic, you must deploy a [user-side certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) to your devices and turn on [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/). To inspect HTTP/3 traffic, you must also turn on the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/) for UDP.
+
+To turn on the Gateway proxy for UDP and TLS decryption:
 
 1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Traffic policies** > **Traffic settings**.
 2. In **Proxy and inspection**, turn on **Allow Secure Web Gateway to proxy traffic**.
@@ -24,7 +26,7 @@ To enable HTTP/3 inspection, turn on the [Gateway proxy](/cloudflare-one/traffic
 
 Gateway can inspect HTTP/3 traffic from Mozilla Firefox and Microsoft Edge by establishing an HTTP/3 proxy connection. Gateway will then terminate the HTTP/3 connection, decrypt and inspect the traffic, and connect to the destination server over HTTP/2. Gateway can also inspect other HTTP applications, such as cURL.
 
-If the UDP proxy is turned on in Cloudflare One, Google Chrome will cancel all HTTP/3 connections and retry them with HTTP/2, allowing you to enforce your HTTP policies. If the UDP proxy is turned off, HTTP/3 traffic from Chrome will bypass inspection.
+If both the UDP proxy and TLS decryption are turned on in Cloudflare One, Google Chrome will cancel all HTTP/3 connections and retry them with HTTP/2, allowing you to enforce your HTTP policies. If either the UDP proxy or TLS decryption is turned off, HTTP/3 traffic from Chrome will bypass inspection.
 
 ## Exempt HTTP/3 traffic from inspection
 

@@ -37,7 +37,7 @@ By default, TCP connection attempts will timeout after 30 seconds and idle conne
 
 The UDP proxy forwards UDP traffic such as VoIP, [internal DNS requests](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns/), and thick client applications.
 
-When the UDP proxy is enabled, Gateway will force all HTTP/3 traffic to HTTP/2 to allow inspection. Otherwise, HTTP/3 traffic will bypass inspection. For more information, refer to [HTTP/3 inspection](/cloudflare-one/traffic-policies/http-policies/http3/).
+For HTTP/3 traffic to be logged and filtered, you need to turn on both TLS decryption and the Gateway proxy for UDP so that Gateway will force all HTTP/3 traffic to HTTP/2 to allow inspection. Otherwise, HTTP/3 traffic will bypass inspection. For more information, refer to [HTTP/3 inspection](/cloudflare-one/traffic-policies/http-policies/http3/).
 
 ### ICMP <Badge text="Beta" variant="caution" size="small" />