The HTTP 425 – Too Early status code indicates that the server is unwilling to process a request because it might be replayed. This status code is primarily related to early data (0-RTT) in TLS.
? Key Concepts
Introduced with HTTP to support TLS 1.3 security concerns
Prevents replay attacks caused by early data
Mostly relevant for secure and idempotent requests
Client is expected to retry the request later
? Syntax / Theory
When a client sends data too early during a TLS handshake (0-RTT), the server may reject it using status code 425.
? Code Example(s)
? View Code Example
// Node.js Express example returning 425 Too Early
app.post("/secure-endpoint", (req, res) => {
res.status(425).send("Too Early - Retry Later");
});
? Live Output / Explanation
Server Response
The server responds with status 425, instructing the client that the request was received too early and should be retried.
? Interactive Example / Diagram
Below is a simplified flow of how 425 Too Early works:
Client
REQUEST
Server
Ready to test connection...
Client sends request using early data
Server detects replay risk
Server returns 425 status
Client retries request after handshake
? Use Cases
Banking or payment APIs
Authentication systems
Secure transactional services
Replay-attack-sensitive endpoints
✅ Tips & Best Practices
Use only for security-sensitive endpoints
Avoid using 0-RTT for non-idempotent requests
Clearly document retry behavior for clients
Log 425 responses for security auditing
? Try It Yourself
Create a secure API endpoint and deliberately return status 425. Then retry the request after a delay to observe client behavior.