Once we receive a response back from Siteminder with a custom header (we are using .Net) we then get the header information by doing Request.Headers[HeaderIdentifier] would doing this allow for a back door? Should we use Request.ServerVariables[HeaderIdentifier] does Siteminder write this custom header to Request.ServerVariables?