diff --git a/lib/cors-anywhere.js b/lib/cors-anywhere.js
index 9846afd..9715204 100644
--- a/lib/cors-anywhere.js
+++ b/lib/cors-anywhere.js
@@ -62,11 +62,7 @@ function withCORS(headers, request) {
     delete request.headers['access-control-request-headers'];
   }
 
-  var exposedHeaders = headers['access-control-expose-headers'] || '';
-  if (!/,\s*location\s*,/i.test(','+exposedHeaders+',')) exposedHeaders += ',location';
-  if (!/,\s*x-request-url\s*,/i.test(','+exposedHeaders+',')) exposedHeaders += ',x-request-url,x-final-url';
-  if (exposedHeaders.charAt(0) === ',') exposedHeaders = exposedHeaders.substr(1);
-  headers['access-control-expose-headers'] = exposedHeaders;
+  headers['access-control-expose-headers'] = Object.keys(headers).join(',');
 
   return headers;
 }
@@ -165,13 +161,13 @@ function onProxyResponse(response, req, res) {
       response.headers['location'] = requestState.proxyBaseUrl + '/' + locationHeader;
     }
   }
-  withCORS(response.headers, req);
 
-  // Don't slip through cookies
+  // Strip cookies
   delete response.headers['set-cookie'];
   delete response.headers['set-cookie2'];
 
   response.headers['x-final-url'] = requestState.location.href;
+  withCORS(response.headers, req);
 }
 
 
diff --git a/package.json b/package.json
index 730b117..f7df47b 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "cors-anywhere",
-  "version": "0.2.1",
+  "version": "0.2.2",
   "description": "CORS Anywhere is a reverse proxy which adds CORS headers to the proxied request. Request URL is taken from the path", 
   "license": "MIT",
   "author": "Rob Wu <rob@robwu.nl>",