425 Too Early
Example HTTP Response
HTTP/1.1 425 Too Early- TLS Early Data (0-RTT) replay risk
- Request sent before connection fully established
- Security precaution against replay attacks
What does this mean?
Hold your horses! The server isn't ready to trust this request yet. It might be a replay attack in disguise.
Technical Definition
The server is unwilling to risk processing a request that might be replayed.
RFC Says
"The 425 (Too Early) status code indicates that the server is unwilling to risk processing a request that might be replayed. User agents that support this status code SHOULD automatically retry the request after the TLS handshake is complete."
Plain English:
425 means 'I'm not willing to process your request yet because we're in the early stages of the TLS connection, and your request might be vulnerable to replay attacks.' This is part of TLS 1.3's early data (0-RTT) feature. The client should retry once the full TLS handshake is done.
Common Misinterpretation
This is highly specialized and specific to TLS 1.3 early data. Application developers will almost never need to return this - it's handled at the TLS/web server level. Don't use it for rate limiting or other 'too early' scenarios - use 429 for rate limiting.
Ready-to-use code for returning this HTTP status in your application:
// Express.js
app.get('/example', (req, res) => {
res.status(425).json({
error: 'Too Early',
message: 'Your error message here'
});
});
// Native HTTP
const http = require('http');
http.createServer((req, res) => {
res.writeHead(425, { 'Content-Type': 'application/json' });
res.end(JSON.stringify({
error: 'Too Early',
message: 'Your error message here'
}));
}).listen(3000);425 Too Early FAQ
What causes a 425 Too Early error?
TLS Early Data (0-RTT) replay risk. Request sent before connection fully established. Security precaution against replay attacks.