HTTP 425 Too Early — TLS Early Data Rejected

HTTP 425 Too Early means the server refuses to process a request sent during TLS 1.3 early data (0-RTT) due to replay attack risk. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.

Here are the key things to understand: Defined in RFC 8470 for TLS 1.3 0-RTT early data. TLS 1.3 allows sending data before the handshake completes (0-RTT). 0-RTT data can be replayed by an attacker, so servers may reject it. The client should retry the request after the TLS handshake completes. Only affects non-idempotent requests (POST, PUT) — GET is safe for 0-RTT. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.

The most common reasons this occurs include: Server configured to reject early data for non-idempotent requests. CDN or reverse proxy stripping early data for security. Client sending POST/PUT in TLS 1.3 0-RTT which server rejects. Server-side anti-replay protection activated. Identifying the root cause is the first step toward finding the right solution.

To resolve this, follow these recommended steps: The browser automatically retries after full TLS handshake — no user action needed. If developing a server, return 425 for non-idempotent requests in early data. For APIs, handle 425 by retrying the request normally. Configure your TLS server to accept 0-RTT for safe (GET) requests only. Test early data behavior with openssl s_client -early_data. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.

This article is part of our HTTP Status Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.