425 Too Early
Description
The 425 Too Early status code indicates that the server is unwilling to risk processing a request that might be replayed. This status code was introduced in RFC 8470 to address issues with "early data" in TLS 1.3, also known as TLS Fast Open or Zero Round Trip Time (0-RTT) data.
In TLS 1.3, clients can send application data (HTTP requests) along with the TLS ClientHello message before the TLS handshake is complete. This "early data" feature improves performance by reducing connection setup time. However, it introduces the risk of request replay attacks, as early data might be duplicated during network retransmissions.
This status code is commonly used when: - A server receives a request that was sent as early data - The server is concerned about the security implications of processing potentially replayed requests - The request is not idempotent (like POST, PUT, or DELETE) and was sent as early data - The server's security policy prohibits processing early data for certain endpoints
Syntax
The server responds with a 425 Too Early status:
HTTP/1.1 425 Too Early
Content-Type: application/json
Content-Length: [length in bytes]
{
"error": "Too Early",
"message": "The server is unwilling to risk processing a request that might be replayed"
}
Examples
Non-Idempotent Request Example
A client sends a POST request as early data:
Client Request (sent as TLS 1.3 early data):
POST /api/orders HTTP/1.1
Host: shop.example.com
Content-Type: application/json
Content-Length: 187
Early-Data: 1
{
"product_id": 123,
"quantity": 2,
"payment_method": "credit_card",
"card_token": "tok_visa_4242",
"shipping_address": {
"name": "John Doe",
"street": "123 Main St",
"city": "Anytown",
"zip": "12345"
}
}
Server Response:
HTTP/1.1 425 Too Early
Content-Type: application/json
Content-Length: 243
{
"error": "Too Early",
"message": "The server refuses to process this order request as early data due to replay risk",
"hint": "Please retry the request after the TLS handshake is complete"
}
Sensitive Operation Example
A client attempts to perform a sensitive operation using early data:
Client Request (sent as TLS 1.3 early data):
POST /api/users/password-reset HTTP/1.1
Host: accounts.example.com
Content-Type: application/json
Content-Length: 98
Early-Data: 1
{
"email": "[email protected]",
"reset_token": "a1b2c3d4e5f6",
"new_password": "securePassword123"
}
Server Response:
HTTP/1.1 425 Too Early
Content-Type: application/json
Content-Length: 215
{
"error": "Too Early",
"message": "Password reset requests cannot be processed as early data",
"security_notice": "For security reasons, this operation requires a complete TLS handshake"
}
API Request with Early Data Header Example
A client explicitly indicates that the request is being sent as early data:
Client Request:
PUT /api/user-preferences HTTP/1.1
Host: api.example.com
Content-Type: application/json
Content-Length: 124
Early-Data: 1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
{
"theme": "dark",
"notifications": {
"email": true,
"push": false
},
"language": "en-US"
}
Server Response:
HTTP/1.1 425 Too Early
Content-Type: application/json
Content-Length: 187
{
"error": "Too Early",
"message": "This API endpoint does not accept early data",
"acceptable_methods": ["GET"],
"retry_after_handshake": true
}
Summary
The 425 Too Early status code addresses a specific security concern in modern TLS implementations. It allows servers to reject requests that were sent as early data when there's a risk of replay attacks. This is particularly important for non-idempotent requests (like POST, PUT, DELETE) where processing a replayed request could lead to unintended consequences such as duplicate orders, multiple payments, or other side effects. By responding with this status code, servers can indicate that the client should retry the request after the TLS handshake is complete, ensuring that the request is processed only once.