diff --git a/typo3/sysext/core/Configuration/DefaultConfiguration.php b/typo3/sysext/core/Configuration/DefaultConfiguration.php
index 6c8221791720c9212e8669cf17c3a3cef2dae369..4fbefadfd23df4125ee20e21dad56a98e363ecb9 100644
--- a/typo3/sysext/core/Configuration/DefaultConfiguration.php
+++ b/typo3/sysext/core/Configuration/DefaultConfiguration.php
@@ -1016,6 +1016,7 @@ return [
         'compressionLevel' => 0,
         'pageNotFound_handling' => '',
         'pageNotFound_handling_statheader' => 'HTTP/1.0 404 Not Found',
+        'pageNotFound_handling_accessdeniedheader' => 'HTTP/1.0 403 Access denied',
         'pageNotFoundOnCHashError' => true,
         'pageUnavailable_handling' => '',
         'pageUnavailable_handling_statheader' => 'HTTP/1.0 503 Service Temporarily Unavailable',
diff --git a/typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml b/typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml
index 1c4b6d180e5cd88a0fed9c6c1712ef39eb4eeec9..b281edab7964dd099223e9fe30a4574f2d1e46e2 100644
--- a/typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml
+++ b/typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml
@@ -352,7 +352,10 @@ FE:
             description: '<p>How TYPO3 should handle requests for non-existing/accessible pages.</p> <dl><dt>empty (default)</dt><dd>The next visible page upwards in the page tree is shown.</dd> <dt>''true'' or ''1''</dt><dd>An error message is shown.</dd><dt>String</dt><dd>Static HTML file to show (reads content and outputs with correct headers), e.g. ''notfound.html'' or ''http://www.example.org/errors/notfound.html''.</dd> <dt>Prefix "REDIRECT:"</dt><dd> If prefixed with "REDIRECT:" it will redirect to the URL/script after the prefix.</dd><dt>Prefix "READFILE:"</dt><dd>If prefixed with "READFILE" then it will expect the remaining string to be a HTML file which will be read and outputted directly after having the marker "###CURRENT_URL###" substituted with REQUEST_URI and ###REASON### with reason text, for example: "READFILE:fileadmin/notfound.html".</dd> <dt>Prefix "USER_FUNCTION:"</dt><dd> If prefixed with "USER_FUNCTION:" a user function is called, e.g. "USER_FUNCTION:fileadmin/class.user_notfound.php:user_notFound->pageNotFound" where the file must contain a class "user_notFound" with a method "pageNotFound" inside with two parameters $param and $ref.</dd></dl>'
         pageNotFound_handling_statheader:
             type: text
-            description: 'If ''pageNotFound_handling'' is enabled, this string will always be sent as header before the actual handling.'
+            description: 'If ''pageNotFound_handling'' is enabled, this string will always be sent as header before the actual handling. This applies to non-access-restriction related errors.'
+        pageNotFound_handling_accessdeniedheader:
+            type: text
+            description: 'If ''pageNotFound_handling'' is enabled, this string will always be sent as header before the actual handling. This applies to access-restricted related errors.'
         pageNotFoundOnCHashError:
             type: bool
             description: 'If TRUE, a page not found call is made when cHash evaluation error occurs, otherwise caching is disabled and page output is displayed.'
diff --git a/typo3/sysext/core/Documentation/Changelog/8.7/Important-23178-NewTYPO3_CONF_VARSOptionFEpageNotFound_handling_accessdeniedheader.rst b/typo3/sysext/core/Documentation/Changelog/8.7/Important-23178-NewTYPO3_CONF_VARSOptionFEpageNotFound_handling_accessdeniedheader.rst
new file mode 100644
index 0000000000000000000000000000000000000000..597d520c281a2050b09fdeeef16444486cd256e8
--- /dev/null
+++ b/typo3/sysext/core/Documentation/Changelog/8.7/Important-23178-NewTYPO3_CONF_VARSOptionFEpageNotFound_handling_accessdeniedheader.rst
@@ -0,0 +1,18 @@
+.. include:: ../../Includes.txt
+
+==========================================================================================
+Important: #23178 - New TYPO3_CONF_VARS option FE|pageNotFound_handling_accessdeniedheader
+==========================================================================================
+
+See :issue:`23178`
+
+Description
+===========
+
+In order to send a correct HTTP header to the browser when access to a page is denied,
+a new option TYPO3_CONF_VARS is introduced.
+
+The option :php:`FE|pageNotFound_handling_accessdeniedheader` allows to configure the
+header which defaults to :php:`HTTP/1.0 403 Access denied`.
+
+.. index:: Frontend, LocalConfiguration, NotScanned
\ No newline at end of file
diff --git a/typo3/sysext/core/Documentation/Changelog/master/Important-23178-NewTYPO3_CONF_VARSOptionFEpageNotFound_handling_accessdeniedheader.rst b/typo3/sysext/core/Documentation/Changelog/master/Important-23178-NewTYPO3_CONF_VARSOptionFEpageNotFound_handling_accessdeniedheader.rst
new file mode 100644
index 0000000000000000000000000000000000000000..597d520c281a2050b09fdeeef16444486cd256e8
--- /dev/null
+++ b/typo3/sysext/core/Documentation/Changelog/master/Important-23178-NewTYPO3_CONF_VARSOptionFEpageNotFound_handling_accessdeniedheader.rst
@@ -0,0 +1,18 @@
+.. include:: ../../Includes.txt
+
+==========================================================================================
+Important: #23178 - New TYPO3_CONF_VARS option FE|pageNotFound_handling_accessdeniedheader
+==========================================================================================
+
+See :issue:`23178`
+
+Description
+===========
+
+In order to send a correct HTTP header to the browser when access to a page is denied,
+a new option TYPO3_CONF_VARS is introduced.
+
+The option :php:`FE|pageNotFound_handling_accessdeniedheader` allows to configure the
+header which defaults to :php:`HTTP/1.0 403 Access denied`.
+
+.. index:: Frontend, LocalConfiguration, NotScanned
\ No newline at end of file
diff --git a/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php b/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php
index 2bd0d4067865c092d710783bd5d99542dddb5d94..130be8e37afe539ae979b8f15d6f69371d673a65 100644
--- a/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php
+++ b/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php
@@ -1344,7 +1344,11 @@ class TypoScriptFrontendController implements LoggerAwareInterface
                 3 => 'ID was outside the domain',
                 4 => 'The requested page alias does not exist'
             ];
-            $this->pageNotFoundAndExit($pNotFoundMsg[$this->pageNotFound]);
+            $header = '';
+            if ($this->pageNotFound === 1 || $this->pageNotFound === 2) {
+                $header = $GLOBALS['TYPO3_CONF_VARS']['FE']['pageNotFound_handling_accessdeniedheader'];
+            }
+            $this->pageNotFoundAndExit($pNotFoundMsg[$this->pageNotFound], $header);
         }
         // Init SYS_LASTCHANGED
         $this->register['SYS_LASTCHANGED'] = (int)$this->page['tstamp'];