(I use Nginx, but there might be something similar)
Making it a configurable option or just checking if the session is over TLS before setting the flag would work fine. The point of the flag is to protect against you not forcing TLS (server misconfig) when your server normally would use it.