It's not unreasonable to set a different header value for the login page only, where it should be safe because no external user data is being rendered.