with

Limiting by $HTTP["request-method"] works a treat. Unfortunately when you use url.access-deny lighttpd sets the status code and headers as a fixed thing (403 status), regardless of if you try to add header before or after. End result: