425 Too Early

HTTP Status CodesClient (4xx)rarerStatus Code: 425Last updated: todayTested on:Google ChromeNode.js v20 LTSJune 2026

The server is unwilling to risk processing a request that might be replayed.

425 Too Early Quick Fix⏱️ Est. Fix Time: 3 minutes

Usually happens because:

  • Client browser sending GET requests

🔍 Quick Checklist:

Meaning

The HTTP 425 Too Early client error status code indicates that the server is unwilling to risk processing a request that might be replayed, typically in TLS early data scenarios (avoiding replay attacks).

Root Causes

  • Client browser sending GET requests carrying state-changing query parameters inside TLS 1.3 Early Data (0-RTT) handshakes.
CauseFrequency
Client browser sending GET requests⭐⭐⭐⭐⭐

Common Mistakes

  • Ignoring the Early-Data headers on writing routes, exposing operations to replay attacks.

How to Fix

1Ensure clients do not send state-changing requests inside TLS 0-RTT handshakes.
2Retry the request using standard TLS handshake completion pipelines.

Framework-Specific Examples

Express middleware detecting early data headers.

Express Example
app.post('/api/action', (req, res) => {
  if (req.headers['early-data'] === '1') {
    return res.status(425).send('Too Early');
  }
});

Server Configuration Examples

Enabling TLS 1.3 early data and forwarding header checks to backend.

Nginx Config
ssl_protocols TLSv1.3;
ssl_early_data on;
proxy_set_header Early-Data $ssl_early_data;

Prevention

  • Only enable TLS 1.3 0-RTT for safe, idempotent GET requests.

Frequently Asked Questions (FAQ)

Q: What is TLS 1.3 Early Data (0-RTT)?

It is a performance feature of TLS 1.3 that allows clients to send application data (like a GET request) during the initial TLS handshake packet exchange, saving a round-trip time (0-RTT).

Q: What is a replay attack?

In a replay attack, a malicious actor intercepts a TLS 1.3 early data packet (e.g. a payment request) and re-sends it to the server. Since 0-RTT lacks server-side handshake completion, the server might process the transaction twice.

Q: How do clients handle 425 responses?

The client must automatically retry the request after completing the TLS handshake, ensuring the data is not sent inside 0-RTT.

Q: Is 425 cacheable?

No. 425 Too Early responses are never cached.

Still having this problem?

Didn't solve your problem?

SuggestRequest Error