# 425 Too Early > https://http-status.org/docs/425 **Family:** 4xx Client Error ## Rationale Server is unwilling to risk processing a request that might be replayed. ## In Plain Terms You're trying to do something too early in the connection process. It's like trying to order food before the restaurant is fully open. ## Description The HTTP 425 Too Early status code indicates that the server is unwilling to risk processing a request that might be replayed, which creates the potential for a replay attack. This is typically used with TLS early data (0-RTT) where the server cannot guarantee the request won't be replayed by an attacker. ## Server Perspective ### Usage - Return 425 for non-idempotent or replay-sensitive operations received too early - Use it when the request should be retried after the handshake, not processed in 0-RTT - TLS early data (0-RTT) security concerns - Non-idempotent operations over early data - Preventing replay attacks in TLS 1.3 - When server cannot guarantee request uniqueness ### Implementation - Reject replay-sensitive early-data requests consistently - Expect clients or intermediaries to retry without early data ### Common Headers - Early-Data ### Body - A body is optional; include a short explanation only if clients need to understand early-data retry behavior. ### Pitfalls - Do not use 425 for rate limiting or ordinary server overload - Do not reject normal post-handshake requests with 425 - Normal request processing (use 200 OK) - Rate limiting (use 429 Too Many Requests) - Server overload (use 503 Service Unavailable) - After full TLS handshake completion ## Client Perspective ### Pitfalls - Do not keep retrying the same request in early data ## Examples ### TLS 0-RTT early data rejection Server rejects payment request over 0-RTT to prevent replay attacks **Request:** ``` POST https://api.example.test/api/payment ``` **Response:** ``` 425 Too Early Content-Type: application/json { "error": "too_early" } ``` ### Non-idempotent operation in early data Deletion requests rejected in early data to prevent accidental replays **Request:** ``` DELETE https://api.example.test/api/users/123 ``` **Response:** ``` 425 Too Early Content-Type: application/json { "error": "too_early" } ``` ## Related Codes - [429 Too Many Requests](/docs/429.md) - [503 Service Unavailable](/docs/503.md)