diff --git a/proxy/proxy.go b/proxy/proxy.go
index 103e429..f0ba134 100644
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@@ -333,10 +333,6 @@ func sendDirectResponse(w http.ResponseWriter, r *http.Request,
 	case strings.HasPrefix(r.Header.Get(hdrContentType), hdrTypeGrpc):
 		w.Header().Set(hdrGrpcStatus, strconv.Itoa(int(codes.Internal)))
 		w.Header().Set(hdrGrpcMessage, errInfo)
-		w.Header().Set("Content-Length", "0")
-		w.Header().Set(":status", strconv.Itoa(statusCode))
-		w.Header().Add("Trailer", hdrGrpcStatus)
-		w.Header().Add("Trailer", hdrGrpcMessage)
 
 		w.WriteHeader(statusCode)
 
diff --git a/proxy/proxy_test.go b/proxy/proxy_test.go
index abded09..e731451 100644
--- a/proxy/proxy_test.go
+++ b/proxy/proxy_test.go
@@ -23,6 +23,7 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
 	"gopkg.in/macaroon.v2"
 )
@@ -293,10 +294,13 @@ func runGRPCTest(t *testing.T, tc *testCase) {
 	client := proxytest.NewGreeterClient(conn)
 
 	// Make request without authentication. We expect an error that can
-	// be parsed by gRPC.
+	// be parsed by gRPC. We also need to extract any metadata that are
+	// sent in the trailer to make sure the challenge is returned properly.
 	req := &proxytest.HelloRequest{Name: "foo"}
+	captureMetadata := metadata.MD{}
 	_, err = client.SayHello(
 		context.Background(), req, grpc.WaitForReady(true),
+		grpc.Trailer(&captureMetadata),
 	)
 	require.Error(t, err)
 	statusErr, ok := status.FromError(err)
@@ -304,6 +308,18 @@ func runGRPCTest(t *testing.T, tc *testCase) {
 	require.Equal(t, "payment required", statusErr.Message())
 	require.Equal(t, codes.Internal, statusErr.Code())
 
+	// We expect the WWW-Authenticate header field to be set to an LSAT
+	// auth response.
+	expectedHeaderContent, _ := mockAuth.FreshChallengeHeader(&http.Request{
+		Header: map[string][]string{},
+	}, "", 0)
+	capturedHeader := captureMetadata.Get("WWW-Authenticate")
+	require.Len(t, capturedHeader, 1)
+	require.Equal(
+		t, expectedHeaderContent.Get("WWW-Authenticate"),
+		capturedHeader[0],
+	)
+
 	// Make sure that if we query an URL that is on the whitelist, we don't
 	// get the 402 response.
 	if len(tc.authWhitelist) > 0 {