425 Too Early
The server is unwilling to risk processing a request that might be replayed.
Usually happens because:
- ☑ Client browser sending GET requests
🔍 Quick Checklist:
Meaning
The HTTP 425 Too Early client error status code indicates that the server is unwilling to risk processing a request that might be replayed, typically in TLS early data scenarios (avoiding replay attacks).
Root Causes
- Client browser sending GET requests carrying state-changing query parameters inside TLS 1.3 Early Data (0-RTT) handshakes.
| Cause | Frequency |
|---|---|
| Client browser sending GET requests | ⭐⭐⭐⭐⭐ |
Common Mistakes
- Ignoring the Early-Data headers on writing routes, exposing operations to replay attacks.
How to Fix
Framework-Specific Examples
Express middleware detecting early data headers.
app.post('/api/action', (req, res) => {
if (req.headers['early-data'] === '1') {
return res.status(425).send('Too Early');
}
});Server Configuration Examples
Enabling TLS 1.3 early data and forwarding header checks to backend.
ssl_protocols TLSv1.3;
ssl_early_data on;
proxy_set_header Early-Data $ssl_early_data;Prevention
- Only enable TLS 1.3 0-RTT for safe, idempotent GET requests.
Frequently Asked Questions (FAQ)
Q: What is TLS 1.3 Early Data (0-RTT)?
It is a performance feature of TLS 1.3 that allows clients to send application data (like a GET request) during the initial TLS handshake packet exchange, saving a round-trip time (0-RTT).
Q: What is a replay attack?
In a replay attack, a malicious actor intercepts a TLS 1.3 early data packet (e.g. a payment request) and re-sends it to the server. Since 0-RTT lacks server-side handshake completion, the server might process the transaction twice.
Q: How do clients handle 425 responses?
The client must automatically retry the request after completing the TLS handshake, ensuring the data is not sent inside 0-RTT.
Q: Is 425 cacheable?
No. 425 Too Early responses are never cached.