diff --git a/README.md b/README.md
index 0767be5f..a1d62ccb 100644
--- a/README.md
+++ b/README.md
@@ -178,7 +178,7 @@ Application Options:
       --match-whitelist-or-domain                           Allow users that match *either* whitelist or domain (enabled by default in v3) [$MATCH_WHITELIST_OR_DOMAIN]
       --url-path=                                           Callback URL Path (default: /_oauth) [$URL_PATH]
       --secret=                                             Secret used for signing (required) [$SECRET]
-      --soft-auth-user=                                     Username used in header if unauthorized with soft-auth action (default: -) [$SOFT_AUTH_USER]
+      --soft-auth-user=                                     If set, username used in header if unauthorized with soft-auth action [$SOFT_AUTH_USER]
       --user-id-path=                                       Dot notation path of a UserID for use with whitelist and X-Forwarded-User (default: email) [$USER_ID_PATH]
       --whitelist=                                          Only allow given UserID, comma separated, can be set multiple times [$WHITELIST]
       --port=                                               Port to listen on (default: 4181) [$PORT]
diff --git a/internal/config.go b/internal/config.go
index fb117900..34e5093c 100644
--- a/internal/config.go
+++ b/internal/config.go
@@ -40,7 +40,7 @@ type Config struct {
 	MatchWhitelistOrDomain bool                 `long:"match-whitelist-or-domain" env:"MATCH_WHITELIST_OR_DOMAIN" description:"Allow users that match *either* whitelist or domain (enabled by default in v3)"`
 	Path                   string               `long:"url-path" env:"URL_PATH" default:"/_oauth" description:"Callback URL Path"`
 	SecretString           string               `long:"secret" env:"SECRET" description:"Secret used for signing (required)" json:"-"`
-	SoftAuthUser           string               `long:"soft-auth-user" env:"SOFT_AUTH_USER" default:"-" description:"Username used in header if unauthorized with soft-auth action"`
+	SoftAuthUser           string               `long:"soft-auth-user" env:"SOFT_AUTH_USER" default:"" description:"If set, username used in header if unauthorized with soft-auth action"`
 	UserPath               string               `long:"user-id-path" env:"USER_ID_PATH" default:"email" description:"Dot notation path of a UserID for use with whitelist and X-Forwarded-User"`
 	Whitelist              CommaSeparatedList   `long:"whitelist" env:"WHITELIST" env-delim:"," description:"Only allow given UserID, comma separated, can be set multiple times"`
 	Port                   int                  `long:"port" env:"PORT" default:"4181" description:"Port to listen on"`
diff --git a/internal/config_test.go b/internal/config_test.go
index 67bbaa71..0293633a 100644
--- a/internal/config_test.go
+++ b/internal/config_test.go
@@ -36,7 +36,7 @@ func TestConfigDefaults(t *testing.T) {
 	assert.Equal(time.Second*time.Duration(43200), c.Lifetime)
 	assert.False(c.MatchWhitelistOrDomain)
 	assert.Equal("/_oauth", c.Path)
-	assert.Equal("-", c.SoftAuthUser)
+	assert.Equal("", c.SoftAuthUser)
 	assert.Len(c.Whitelist, 0)
 	assert.Equal(c.Port, 4181)
 
diff --git a/internal/server.go b/internal/server.go
index 88a46414..91fce228 100644
--- a/internal/server.go
+++ b/internal/server.go
@@ -118,7 +118,9 @@ func (s *Server) authHandler(providerName, rule string, soft bool) http.HandlerF
 	var unauthorized func(w http.ResponseWriter)
 	if soft {
 		unauthorized = func(w http.ResponseWriter) {
-			w.Header().Set(config.HeaderName, config.SoftAuthUser)
+			if config.SoftAuthUser != "" {
+				w.Header().Set(config.HeaderName, config.SoftAuthUser)
+			}
 			w.WriteHeader(200)
 		}
 	} else {