The DenyWcmDisabled Model sets a 403 Forbidden header if WCM mode is disabled.
It should get extended to take any HTTP status code by request attribute with 403 as default value.
Implemented in https://github.com/wcm-io/wcm-io-wcm/pull/2
Please check and merge.
thanks, i've added a changelog entry and applied it.