I'm writing an authentication script in PHP, to be called as an API, that needs to return 200
only in the case that it approves the request, and
I checked the PHP docs for header(), and it's simpler than I was making it - if the second parameter is true, it will replace a similar header. the default is true. So the correct behavior is header
('HTTP/1.1 403 Forbidden');, then do the authentication logic, then if it authenticates, do header
('HTTP/1.1 200 OK'). It will replace the 403 response, and will guarantee that 403 is the default.