diff --git a/CHANGELOG.md b/CHANGELOG.md
index 19df1b284..e6dedf384 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,15 @@
+# 2019-11-10
+
+## Tightened security around room directory publishing
+
+As per this [advisory blog post](https://matrix.org/blog/2019/11/09/avoiding-unwelcome-visitors-on-private-matrix-servers), we've decided to change the default publishing rules for the Matrix room directory.
+
+Our general goal is to favor privacy and security when running personal (family & friends) and corporate homeservers.
+Both of these likely benefit from having a more secure default of **not showing the room directory without authentication** and **not publishing the room directory over federation**.
+
+As with anything else, these new defaults can be overriden by changing the `matrix_synapse_allow_public_rooms_without_auth` and `matrix_synapse_allow_public_rooms_over_federation` variables, respectively.
+
+
 # 2019-10-05
 
 ## Improved Postgres upgrading/importing
diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml
index f1b453f3d..7651bf640 100644
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@@ -136,6 +136,15 @@ matrix_synapse_report_stats: false
 # disabling this will decrease server load significantly.
 matrix_synapse_use_presence: true
 
+# Controls whether accessing the server's public rooms directory can be done without authentication.
+# For private servers, you most likely wish to require authentication,
+# unless you know what list of rooms you're publishing to the world and explicitly want to do it.
+matrix_synapse_allow_public_rooms_without_auth: false
+
+# Controls whether remote servers can fetch this server's public rooms directory via federation.
+# For private servers, you most likely wish to forbid it.
+matrix_synapse_allow_public_rooms_over_federation: false
+
 # Controls whether people with access to the homeserver can register by themselves.
 matrix_synapse_enable_registration: false
 
diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
index 9d8da346c..d7adb26a8 100644
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -48,12 +48,12 @@ use_presence: {{ matrix_synapse_use_presence|to_json }}
 # If set to 'false', requires authentication to access the server's public rooms
 # directory through the client API. Defaults to 'true'.
 #
-#allow_public_rooms_without_auth: false
+allow_public_rooms_without_auth: {{ matrix_synapse_allow_public_rooms_without_auth|to_json }}
 
 # If set to 'false', forbids any other homeserver to fetch the server's public
 # rooms directory via federation. Defaults to 'true'.
 #
-#allow_public_rooms_over_federation: false
+allow_public_rooms_over_federation: {{ matrix_synapse_allow_public_rooms_over_federation|to_json }}
 
 # The default room version for newly created rooms.
 #