I have a line of code that redirects the user from index.php to enable-js.php if they block Javascript:
<noscript><meta http-equiv="refresh" content="0;url=enable-js.php"></noscript>
Since this is a client side redirect, is it still possible for a user to still access index.php to do something like fill out a form while they have javascript disabled, or should I find a way to implement PHP headers instead?
Since this is a client side redirect, is it still possible for a user to still access index.php to do something like fill out a form, or should I find a way to implement PHP headers instead?
Yes. They could script it via cURL (which won't process a meta refresh at all), cancel the navigation (by pressing escape really quickly, for example), or disable meta refresh in the browser entirely.