0-RTT (Zero Round Trip Time)

A TLS 1.3 feature (RFC 8446 Section 2.3) that allows a client to send application data in the very first message of a resumed session, before receiving any response from the server. This cuts perceived connection latency to near zero for returning visitors. The trade-off is that 0-RTT data is vulnerable to replay attacks — an attacker could retransmit the same 0-RTT data to trigger duplicate side effects. As a result, 0-RTT should only be used for idempotent, replay-safe requests such as HTTP GET or read-only API calls, and never for state-changing operations.