HTTP Status Code 425 – Too Early

Table of Contents

HTTP Status Code 425 – Too Early

The HTTP 425 Status Code “Too Early” is used to indicate that the server is unwilling to risk processing a request that might be replayed. This status code is primarily used in conjunction with the Early-Data header field, which is part of the TLS 1.3 protocol. The 425 Too Early response is used to prevent replay attacks when the client sends data before its handshake is complete, which could lead to unauthorized transactions or actions.

Example 1: Usage in Secure Transactions

Suppose a client sends a POST request to a payment processing server, including sensitive transaction data. If the server receives this data while the connection is still in the early data phase of the TLS handshake, it may respond with a 425 Too Early status to avoid processing potentially replayed requests.

POST /process-payment HTTP/1.1
Host: payment.example.com
Early-Data: 1
Content-Type: application/json
Content-Length: 100

{
    "transaction_id": "12345",
    "amount": 100.00,
    "currency": "USD"
}

HTTP/1.1 425 Too Early
Retry-After: 5
Content-Type: text/plain

The server is not ready to process the request. Please try again after the handshake is complete.

Example 2: API Request for Critical Operations

Consider an API that handles critical operations, such as updating user permissions. If a client sends a request in the early data phase, the server may choose to respond with a 425 Too Early status to ensure the request is not replayed maliciously.

PUT /update-permissions HTTP/1.1
Host: api.example.com
Early-Data: 1
Content-Type: application/json
Content-Length: 85

{
    "user_id": "789",
    "permissions": ["admin", "editor"]
}

HTTP/1.1 425 Too Early
Retry-After: 10
Content-Type: text/plain

Request received too early. Please wait and resend the request once the connection is secure.

Example 3 a different Scenario

# Client sends a request example.
GET /example HTTP/1.1
Host: www.example.com

# Server Response
HTTP/1.1 425 425 Too Early
Date: Wed, 09 Oct 2024 23:06:48 GMT
Server: ExampleServer/1.0
Content-Type: application/json

{
    "error": "Description of the error for 425"
}

Example 4: Another Scenario

# Client sends another example request.
POST /another-example HTTP/1.1
Host: www.example.com

# Server Response
HTTP/1.1 425 425 Too Early
Date: Wed, 09 Oct 2024 23:06:48 GMT
Server: ExampleServer/1.0
Content-Type: application/json

{
    "error": "Detailed message for 425"
}

Summary

The 425 Too Early status code is an important tool for servers to mitigate replay attacks, particularly during secure transactions or critical operations. By refusing to process requests sent during the early data phase of a TLS handshake, servers can ensure that requests are not replayed maliciously. Clients receiving a 425 Too Early response should wait for the TLS handshake to complete before resending their request, ensuring a secure and reliable communication channel.

Andrew C

I am the founder of SEO Leaders and have been involved in the internet and web development in one way or another for over 20 years. Since founding SEO Leaders some 6 years ago I have been heavily involved in web develepment, Digital PR and technical SEO for a wide variety of projects. I hope to enlighten you on a wide range of topics related to my chosen profession!