diff --git a/README.md b/README.md
index 1181c95..93dd58b 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ This package does not put any restrictions on the http methods or headers, excep
 cookies. Requesting [user credentials](http://www.w3.org/TR/cors/#user-credentials) is disallowed.
 
 Redirects are not automatically followed. Instead, the server replies with http status code 333 and
-includes an absolute URL in the `location` response header.
+includes an absolute URL in the `Location` response header.
 
 The package also includes a Procfile, to run the app on Heroku. More information about
 Heroku can be found at https://devcenter.heroku.com/articles/nodejs.
diff --git a/lib/cors-anywhere.js b/lib/cors-anywhere.js
index e425506..bff0e97 100644
--- a/lib/cors-anywhere.js
+++ b/lib/cors-anywhere.js
@@ -49,6 +49,12 @@ function withCORS(headers, request) {
     headers['access-control-allow-headers'] = request.headers['access-control-request-headers'];
     delete request.headers['access-control-request-headers'];
   }
+
+  var exposedHeaders = headers['access-control-expose-headers'] || '';
+  if (exposedHeaders) exposedHeaders += ',';
+  exposedHeaders += 'location,x-request-url';
+  headers['access-control-expose-headers'] = exposedHeaders;
+
   return headers;
 }
 function isForbidden(host) {
@@ -77,8 +83,8 @@ function proxyRequest(req, res, proxy, full_url, proxyOptions) {
           headers['location'] = url.resolve(full_url, headers['location']);
         }
         // Don't use 301 or 302 because browsers may cancel the request (observed in Chrome with a custom request header)
-        statusCode = 333;
         reasonPhrase = 'Redirect ' + statusCode;
+        statusCode = 333;
       }
 
       // Don't slip through cookies
diff --git a/lib/help.txt b/lib/help.txt
index 369cd41..9838312 100644
--- a/lib/help.txt
+++ b/lib/help.txt
@@ -11,7 +11,8 @@ If the protocol is omitted, it defaults to http (https if port 443 is specified)
 Cookies are disabled and stripped from requests.
 
 Redirects are not automatically followed: The API response has status code 333.
-The client ought to confirm this redirection by creating a new request.
+The client ought to confirm this redirection by creating a new request (the url
+is available in the Location response header).
 
 The requested URL is available in the X-Request-URL response header. Non-existence of this
 header implies that the requested URL was not recognized.