How to return an HTTP 500 code on any error, no matter what

I checked the PHP docs for header(), and it's simpler than I was making it - if the second parameter is true, it will replace a similar header. the default is true. So the correct behavior is header ('HTTP/1.1 403 Forbidden');, then do the authentication logic, then if it authenticates, do header ('HTTP/1.1 200 OK'). It will replace the 403 response, and will guarantee that 403 is the default.

Simply send the status code as a response header():

header('HTTP/1.1 500 Internal Server Error');

Remember that when sending this there must not be any output before it. That means no echo calls and no HTML or whitespace.