HTTP/2, HTTP/3 & ALPN
Modern HTTP versions ride on top of TLS. **HTTP/2** is negotiated during the handshake via ALPN — enable it with http2 on; (nginx) or alpn h2,http/1.1 (HAProxy). **HTTP/3** runs over QUIC (UDP) instead of TCP and is advertised with an Alt-Svc: h3=":443" header so browsers can upgrade on the next request. Both require TLS 1.2+ in practice and benefit from the same forward-secret ciphers. They're performance features, not security ones, but they share the TLS configuration, so it's worth enabling them together.