425 Too Early

The HTTP 425 status code means a server rejects the request because there’s a possibility of a replay attack.

TLS 1.3 introduced a concept of a zero-round trip time (0-RTT, also known as TLS Early Data), where a client that reconnects to a server can send data immediately without additional TLS handshakes (i.e., reducing Time To First Byte on TLS connections). While Early Data can speed up the connection by saving one or two round-trip delays, it introduces an avenue for a replay attack.

If the server perceives the possibility of a replay attack to be significant, it can respond with 425 Too Early and expect clients to resend the request without Early Data.

Browser support

Firefox added support for the 425 Too Early status code in version 58. As of this writing, Firefox browsers earlier than version 58 account for less than 0.1% of global usage.

WebDAV Unordered Collection

In the draft version of RFC 3648, the 425 status code was supposed to mean that the order in the WebDAV collection has been violated. It was a non-standard status code that never gained wide adoption and is now obsolete.