diff --git a/conduit-example.toml b/conduit-example.toml
index 836db654..e551e022 100644
--- a/conduit-example.toml
+++ b/conduit-example.toml
@@ -55,3 +55,12 @@ trusted_servers = ["matrix.org"]
 
 address = "127.0.0.1" # This makes sure Conduit can only be reached using the reverse proxy
 #address = "0.0.0.0" # If Conduit is running in a container, make sure the reverse proxy (ie. Traefik) can reach it.
+
+# Set this to true to allow your server's public room directory to be federated.
+# Set this to false to protect against /publicRooms spiders, but will forbid external users from viewing your server's public room directory.
+# If federation is disabled entirely (`allow_federation`), this is inherently false.
+allow_public_room_directory_over_federation = false
+
+# Set this to true to allow your server's public room directory to be queried without client authentication (access token) through the Client APIs.
+# Set this to false to protect against /publicRooms spiders.
+allow_public_room_directory_without_auth = false
\ No newline at end of file
diff --git a/src/api/client_server/directory.rs b/src/api/client_server/directory.rs
index 50ae9f15..a54d2aba 100644
--- a/src/api/client_server/directory.rs
+++ b/src/api/client_server/directory.rs
@@ -36,6 +36,17 @@ use tracing::{error, info, warn};
 pub async fn get_public_rooms_filtered_route(
     body: Ruma<get_public_rooms_filtered::v3::Request>,
 ) -> Result<get_public_rooms_filtered::v3::Response> {
+    if !services()
+        .globals
+        .config
+        .allow_public_room_directory_without_auth
+    {
+        let _sender_user = body
+            .sender_user
+            .as_ref()
+            .ok_or_else(|| Error::BadRequest(ErrorKind::MissingToken, "Missing access token."))?;
+    }
+
     get_public_rooms_filtered_helper(
         body.server.as_deref(),
         body.limit,
@@ -54,6 +65,17 @@ pub async fn get_public_rooms_filtered_route(
 pub async fn get_public_rooms_route(
     body: Ruma<get_public_rooms::v3::Request>,
 ) -> Result<get_public_rooms::v3::Response> {
+    if !services()
+        .globals
+        .config
+        .allow_public_room_directory_without_auth
+    {
+        let _sender_user = body
+            .sender_user
+            .as_ref()
+            .ok_or_else(|| Error::BadRequest(ErrorKind::MissingToken, "Missing access token."))?;
+    }
+
     let response = get_public_rooms_filtered_helper(
         body.server.as_deref(),
         body.limit,
diff --git a/src/api/server_server.rs b/src/api/server_server.rs
index 7bd6373d..6ef9073b 100644
--- a/src/api/server_server.rs
+++ b/src/api/server_server.rs
@@ -621,6 +621,13 @@ pub async fn get_public_rooms_filtered_route(
         return Err(Error::bad_config("Federation is disabled."));
     }
 
+    if !services()
+        .globals
+        .allow_public_room_directory_over_federation()
+    {
+        return Err(Error::bad_config("Room directory is not public."));
+    }
+
     let response = client_server::get_public_rooms_filtered_helper(
         None,
         body.limit,
@@ -648,6 +655,13 @@ pub async fn get_public_rooms_route(
         return Err(Error::bad_config("Federation is disabled."));
     }
 
+    if !services()
+        .globals
+        .allow_public_room_directory_over_federation()
+    {
+        return Err(Error::bad_config("Room directory is not public."));
+    }
+
     let response = client_server::get_public_rooms_filtered_helper(
         None,
         body.limit,
diff --git a/src/config/mod.rs b/src/config/mod.rs
index 08754071..1d881c54 100644
--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@@ -51,6 +51,10 @@ pub struct Config {
     pub allow_encryption: bool,
     #[serde(default = "false_fn")]
     pub allow_federation: bool,
+    #[serde(default = "false_fn")]
+    pub allow_public_room_directory_over_federation: bool,
+    #[serde(default = "false_fn")]
+    pub allow_public_room_directory_without_auth: bool,
     #[serde(default = "true_fn")]
     pub allow_room_creation: bool,
     #[serde(default = "true_fn")]
@@ -150,6 +154,14 @@ impl fmt::Display for Config {
             ("Allow encryption", &self.allow_encryption.to_string()),
             ("Allow federation", &self.allow_federation.to_string()),
             ("Allow room creation", &self.allow_room_creation.to_string()),
+            (
+                "Allow public room directory over federation",
+                &self.allow_public_room_directory_over_federation.to_string(),
+            ),
+            (
+                "Allow public room directory without authentication",
+                &self.allow_public_room_directory_without_auth.to_string(),
+            ),
             (
                 "JWT secret",
                 match self.jwt_secret {
diff --git a/src/service/globals/mod.rs b/src/service/globals/mod.rs
index 09e68299..1155f7ef 100644
--- a/src/service/globals/mod.rs
+++ b/src/service/globals/mod.rs
@@ -299,6 +299,14 @@ impl Service {
         self.config.allow_federation
     }
 
+    pub fn allow_public_room_directory_over_federation(&self) -> bool {
+        self.config.allow_public_room_directory_over_federation
+    }
+
+    pub fn allow_public_room_directory_without_auth(&self) -> bool {
+        self.config.allow_public_room_directory_without_auth
+    }
+
     pub fn allow_room_creation(&self) -> bool {
         self.config.allow_room_creation
     }