HTTP 425 Too Early — TLS Early Data Rejected
Informational4xx client error
Overview
HTTP 425 Too Early means the server refuses to process a request sent during TLS 1.3 early data (0-RTT) due to replay attack risk.
Key Details
- Defined in RFC 8470 for TLS 1.3 0-RTT early data
- TLS 1.3 allows sending data before the handshake completes (0-RTT)
- 0-RTT data can be replayed by an attacker, so servers may reject it
- The client should retry the request after the TLS handshake completes
- Only affects non-idempotent requests (POST, PUT) — GET is safe for 0-RTT
Common Causes
- Server configured to reject early data for non-idempotent requests
- CDN or reverse proxy stripping early data for security
- Client sending POST/PUT in TLS 1.3 0-RTT which server rejects
- Server-side anti-replay protection activated
Steps
- 1The browser automatically retries after full TLS handshake — no user action needed
- 2If developing a server, return 425 for non-idempotent requests in early data
- 3For APIs, handle 425 by retrying the request normally
- 4Configure your TLS server to accept 0-RTT for safe (GET) requests only
- 5Test early data behavior with openssl s_client -early_data
Tags
http425tlsearly-data0-rtt
More in 4xx Client Error
http-400-bad-requestHTTP 400 Bad Request — What It Means & How to Fix It
Errorhttp-401-unauthorizedHTTP 401 Unauthorized — What It Means & How to Fix It
Errorhttp-402-payment-requiredHTTP 402 Payment Required — What It Means & How to Fix It
Errorhttp-403-forbiddenHTTP 403 Forbidden — What It Means & How to Fix It
Errorhttp-404-not-foundHTTP 404 Not Found — What It Means & How to Fix It
Errorhttp-405-method-not-allowedHTTP 405 Method Not Allowed — What It Means & How to Fix It
ErrorFrequently Asked Questions
Zero Round Trip Time allows a client that has connected before to send data immediately without waiting for the TLS handshake, reducing latency.