The strange thing is the variable doesn't seem to remain static once set.
That's true, as this is just a HTTP request header. That's not "persistent" like a cookie.
I wonder if I have to do both on the HTTP_RESPONSE as well as REQUEST.
Why would you want to do that? The client (a browser) will not take care about any special HTTP header, even if you set it in HTTP_RESPONSE, unless you have javascript or activex code running in the browser that checks that header.
In general you are inserting a certain HTTP request header to add some information to a request. This additional information will be used by the backend application to perform additional operations if that information is present. Based on the name of your header I assume you want to tell the backend application if the original request has been encrypted or not. This will have a meaning for the backend application but not for the client.
Hope that helps.
Regards
Kurt Knochner