Back to all blog posts

Understanding the rel='noopener noreferrer' Attribute

Learn what the rel='noopener noreferrer' attribute does in HTML links and why it's important for security and privacy.

Published on October 16, 2025 by Michael Andreuzza

Web pages rely on HTML links for navigation, but these simple elements can introduce security issues. The rel=“noopener noreferrer” attribute adds a plain safeguard for websites and their visitors.

What the attribute includes

The attribute consists of two key parts:

noopener: This prevents a problem that occurs when links open in new tabs or windows with target=“_blank”. A harmful site could take control of the original window. The noopener value breaks this link, isolating the new tab from the source page.

noreferrer: This focuses on user privacy. Normally, when clicking a link, the destination site receives details about the origin (the referrer). The noreferrer value blocks this information, which helps keep visitor data private when linking to untrusted or external sites.

Reasons to use “noopener noreferrer”

  • Better security: It stops new tabs from interfering with the original page, shielding users from attacks.
  • More privacy: By blocking referrer data, it keeps browsing history more confidential from external sites.
  • Small performance benefit: Indirectly, noopener might speed up loading by removing the need for the browser to manage cross-tab interactions.

Implementing the attribute

Adding rel=“noopener noreferrer” to links is straightforward:

<a href="https://www.example.com" target="_blank" rel="noopener noreferrer"
  >Check Out Example Site</a
>

When to apply it consistently

It’s wise to use this on most external links, but exceptions exist:

  • Trusted sites: For known, secure websites, you might skip it.
  • Internal Navigation: No need for links within your own domain.

SEO effects

Using rel=“noopener noreferrer” won’t harm your SEO directly. However, noreferrer can make it harder to track referral sources in analytics if that’s crucial for your data.

Basics of the rel=“noopener noreferrer” attribute

Navigation starts with the <a> tag. Here are the basics:

  • Standard format: <a href="https://www.examplewebsite.com">Link to Example Site</a>
  • href defines the URL.
  • The clickable text is between the tags.
  • target="_blank" opens the link in a new tab, keeping users on your site while they explore.

Security risks involved

Although useful, target="_blank" without precautions can expose vulnerabilities:

  • The window.opener object: This JavaScript feature connects new tabs to the original. Normally, sites can’t access other windows, but with this, they can.
  • What an attacker might do: If a bad site accesses window.opener, it might:
    • Send the original tab to dangerous pages.
    • Add unwanted ads or content.
    • Create fake pop-ups.
    • Perform “tabnabbing” attacks.

Referrer data and tracking

Browsers typically share the source URL (referrer) with the destination. This has implications:

  • Analytics use: Referrer info helps track traffic sources, campaign effectiveness, and user paths.
  • Privacy issues: In some cases, sharing this data can compromise user anonymity, especially for sensitive topics like health or finance.

With this background on links, risks, and data sharing, we can see how noopener and noreferrer address these concerns.

How noopener and noreferrer work

The noopener attribute

  • Main job: It breaks the JavaScript link via window.opener, a basic security step.
  • Blocking interference: It prevents the new site from altering the original tab, keeping browsing safer.
  • Example code: 
    <a href="https://externalsite.com" target="_blank" rel="noopener"
  >Go to External Site</a
>
  • Extra benefit: It may boost performance slightly by reducing browser overhead.

The noreferrer attribute

  • Managing referrer data: It tells the browser not to send origin details, changing how tracking works.
  • Privacy scenarios: Use it for:
    • Links to private sites needing anonymity.
    • Situations where source details should stay hidden.
    • Choosing privacy over detailed analytics.
  • Example code: 
    <a href="https://externalsite.com" target="_blank" rel="noreferrer"
  >Visit External Site</a
>

Using both together

It’s best to combine them for broader coverage:

  • Better protection: Covers both manipulation risks and privacy needs.
  • Example code: 
    <a href="https://externalsite.com" target="_blank" rel="noopener noreferrer"
  >Explore External Site</a
>

Appropriate usage scenarios

Always use it for sites outside your control, like in articles or menus.

Reason: External sites’ intentions aren’t guaranteed, so this minimizes threats.

These need careful handling:

  • Protection: Guards against partner manipulations.
  • Monitoring: Pair with UTM codes to track while securing.

User-submitted content

For comments or forums with links, be cautious of harmful additions.

Platform features: Many systems auto-add this to user links.

Suspicious sites

For uncertain destinations, apply it to add safety.

Result: Builds user trust by preventing risks.

Wrapping up

Understanding attributes like rel=“noopener noreferrer” helps build secure, efficient websites. Responsible linking protects your site, users, and reputation.

/Michael Andreuzza

Did you like this post? Please share it with your friends!