diff --git a/config/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java
index d75b5a0169..89d265d3cd 100644
--- a/config/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java
@@ -111,13 +111,13 @@ public class HeadersBeanDefinitionParser implements BeanDefinitionParser {
 
 		parseHeaderElements(element);
 
-		if (disabled) {
-			if (!headerWriters.isEmpty()) {
-				parserContext
-						.getReaderContext()
-						.error("Cannot specify <headers disabled=\"true\"> with child elements.",
-								element);
-			}
+		boolean noWriters = headerWriters.isEmpty();
+		if (disabled && !noWriters) {
+			parserContext
+				.getReaderContext()
+				.error("Cannot specify <headers disabled=\"true\"> with child elements.",
+						element);
+		} else if (noWriters) {
 			return null;
 		}
 
diff --git a/config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy
index 8c3c526373..e944e085b1 100644
--- a/config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy
@@ -109,6 +109,18 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
 
 	// --- defaults disabled
 
+	// gh-3986
+	def 'http headers defaults-disabled with no override'() {
+		httpAutoConfig {
+			'headers'('defaults-disabled':true) {
+			}
+		}
+		createAppContext()
+
+		expect:
+		getFilter(HeaderWriterFilter) == null
+	}
+
 	def 'http headers content-type-options'() {
 		httpAutoConfig {
 			'headers'('defaults-disabled':true) {