By the time you've gotten this response header, the request has already been sent over the connection that you don't trust, and at least part of the response.
I love your suggestion, with the caveat that browsers send a pre-flight interrogation request (similar to OPTIONS with CORS) to determine if the origin connection is secure before sending a legitimate request (containing potentially sensitive data).