Application code decisions, such as where to redirect a user, should never rely on client-side available values. Such values can be tampered with and modified, to redirect users to attacker-controlled websites or to execute attacker-controlled scripts.