diff --git a/deploy.sh b/deploy.sh
index 49125a6..474ac33 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -980,6 +980,10 @@ sed -i '/^# Experimental features$/d' synapse/data/homeserver.yaml
 sed -i '/^# Enable registration/d' synapse/data/homeserver.yaml
 sed -i '/^enable_registration:/d' synapse/data/homeserver.yaml
 
+# Remove old public room settings if present (re-added explicitly below)
+sed -i '/^allow_public_rooms_without_auth:/d' synapse/data/homeserver.yaml
+sed -i '/^allow_public_rooms_over_federation:/d' synapse/data/homeserver.yaml
+
 # Remove old double-puppeting appservice registration if present (prevents duplication on re-run)
 sed -i '/^# Double-puppeting appservice/d' synapse/data/homeserver.yaml
 sed -i '/^app_service_config_files:/,/^[^ ]/{ /^app_service_config_files:/d; /^[^ ]/!d }' synapse/data/homeserver.yaml
@@ -1006,6 +1010,9 @@ database:
 
 # Enable registration (disabled when using MAS/OAuth delegation)
 enable_registration: false
+allow_guest_access: false
+allow_public_rooms_without_auth: false
+allow_public_rooms_over_federation: false
 
 # MAS Integration (Synapse 1.136+ stable config — replaces deprecated experimental_features.msc3861)
 matrix_authentication_service:
@@ -1081,8 +1088,8 @@ if [[ "$DEPLOYMENT_MODE" == "local" ]]; then
 {
     # Use local CA for self-signed certificates
     local_certs
-    # Enable admin API
-    admin 0.0.0.0:2019
+    # Enable admin API (localhost only)
+    admin localhost:2019
 }
 CADDYEOF
 
@@ -1560,8 +1567,8 @@ if [[ "$DEPLOYMENT_MODE" == "production" ]]; then
 
 {
     email ${LETSENCRYPT_EMAIL}
-    # Enable admin API (restrict access in firewall)
-    admin 0.0.0.0:2019
+    # Enable admin API (localhost only)
+    admin localhost:2019
 }
 
 # =========================
@@ -1634,6 +1641,11 @@ ${MATRIX_DOMAIN} {
         }
     }
 
+    # Block public access to Synapse admin API
+    handle /_synapse/admin* {
+        respond "Forbidden" 403
+    }
+
     handle {
         reverse_proxy ${MATRIX_SERVER_IP}:8008
     }
diff --git a/templates/homeserver.yaml b/templates/homeserver.yaml
index c45f954..df3c431 100644
--- a/templates/homeserver.yaml
+++ b/templates/homeserver.yaml
@@ -45,6 +45,10 @@ registration_shared_secret: "{{SYNAPSE_REGISTRATION_SHARED_SECRET}}"
 # Allow guest access
 allow_guest_access: false
 
+# Public room directory visibility
+allow_public_rooms_without_auth: false
+allow_public_rooms_over_federation: false
+
 # Matrix Authentication Service (MAS) integration (Synapse 1.136+)
 # Replaces deprecated experimental_features.msc3861
 matrix_authentication_service: