I am building a user registration workflow for my JavaScript/PHP website. Once the user registers, they are added into a database (with an inactive status). The user will then receive an email confirmation, which requires them to click on a confirmation link.

Currently, the confirmation link will redirect the user to the site log-in page with the confirmation code as URL parameter. On document ready, the JavaScript will pull the confirmation code from the URL and submit it to the PHP back-end. If the code is valid, then the user status is upgraded to active in the database.

From a security standpoint, is it better for the confirmation link to navigate directly to the PHP, and then the PHP can redirect the user back to the website? What is the best practice?

I don't think it matters all that much how you do it, as long as you are still validating the security code. You can do that with just PHP, if you really wanted to.

Send the user to e.g. /verify.php?key=123456, and on your page:

if (isset($_GET['key']))
{
    $key = $_GET['key'];
    // TODO: Perform validation on $key
    // TODO: Do whatever you are already doing to list the user's email as valid.
}

From a security standpoint, it doesn't really matter. Whether it's done immediately via the URL/PHP or done via AJAX on document load, anyone would be able to see the mechanism that's performing the confirmation (via the source).

If you're concerned about security, I suppose you could require a matching pair (email+confirmation code) and pass both of those through the URL for validation.

As of writing this, sending a link to user's email is unsafe (can result to impersonation), especially if your users are likely to use either Gmail for email or Chrome for the browser (Chrome, Chromium, Microsft Edge, Brave Browser, DuckDuckGo Browser are all using chrome engine).

Prefer to send a code to the user email instead, and if you must send a link, make sure you have a dedicated page to handle confirmation page that requires user action (like a click) or requires JavaScript to run and send the code to your server.

https://security.stackexchange.com/a/197005/217958

You should make sure the verification page actually renders (not just that a GET request occurred). Browsers such as chrome (and antivirus programs) often load URLs without the user explicitly clicking them as either a pre-fetch or to scan for security reasons.

That could result in a scenario where a malicious actor (Eve) wants to make an account using someone else's email (Alice). Eve signs up, and Alice received an email. Alice opens the email because she is curious about an account she didn't request. Her browser (or antivirus) requests the URL in the background, inadvertently activating the account.

I would use JavaScript on the page to verify the page actually rendered, and also include a link in the email where users can report that they did NOT create this account.

https://support.google.com/mail/thread/16878288?hl=en

Gmail is opening and caching urls within emails without user intervention. How and why?

When run a system that checks if users click on a simulated phishing test. The problem we are seeing is that sometimes gmail will go through an email and follow a url (not just an image link either) to cache it even if the user does not click on the link. Specifically, the user will open the email, we will see one or 2 google IPs (One of which was registered under YouTube?) also open and follow a url link. Is this supposed to happen? Why and by what mechanism?

This issue had bothered me for more than a year before I found the above information.