no way. just don't send it.
and, for those who are in the tank, the client follows the location, not the elephant.
and directory browsing is prohibited by other means.

The question is rare in its meaninglessness.
And from the very beginning. Why on earth does "prohibit directory browsing" have anything to do with "site security"?
Then it's funny. What are these "technical reasons" that allow you to write some kind of, most likely, RewriteRule in .htaccess, but suddenly do not allow you to write Options -Indexes?
Then comes some kind of madness, "I can't forbid, so I redirected to it." STA? Maybe after all not on him, but from him?
Well, the icing on the cake - it turns out that the security of the site depends on the ability of PHP not to respond to the redirect. The entire infrastructure of the world, the security of banks and nuclear power plants is at stake: the question of the century: should puff-puff headlines or not.
I'm not talking about the fact that "PHP" does not follow any headers. There are several different ways to make an HTTP request from PHP, and accordingly, for each method, the prohibition of following the Location header will be different. That is, without specifying the way in which the request is made, it is somewhat naive to hope for an answer.

Pull through curl and see if it returns anything besides the header or not.