Our application is using Request.Headers[HeaderIdentifier] rather than Request.ServerVariables[HeaderIdentifier] is this a security hole?

We are using .Net platform, we receive the request back from Siteminder and use 

Request.Headers[HeaderIdentifier] to retrieve the authenticated user, is this a back door? Should we only use Request.ServerVariables[HeaderIdentifier]? Does Siteminder write to the Request.ServerVariables for custom headers?