Sometimes you need to block a user from your PHP script, but you want to make sure the correct HTTP headers are sent as well. Unless your server has explicitly sent a
403: Forbidden HTTP header, then by the time you get to your PHP script the browser client just assumes it’s a nice 200 OK response.
Fortunately, PHP has the wonderful ability to send raw HTTP headers with the header() function. With just a single line of code we can send the appropriate header for a 403: Forbidden response:
That’s all it takes! Note – the first line is just a comment – all you really need is the
header() function call.
And remember, once you send the 403 Forbidden response code from PHP, there’s no changing it. Do all your checks first, then decide what HTTP codes to send.
Copy from http://gabrielharper.com/blog/2012/09/php-403-forbidden-redirect-code/