Right. I was aiming to do it client-side only but I found out that web browsers restrict the headers you have access to through cross-origin XHR requests [1][2].
So it was a trade-off and I preferred showing all the headers at the expense of having to proxy the calls through a server.