Security
SecurityLow

External Link Safety

Checks external links with target="_blank" for rel="noopener".

What this check measures

Links with `target="_blank"` must include `rel="noopener"` (or `noreferrer`). Without it, the opened page can access `window.opener` and manipulate the parent — a reverse-tabnabbing attack.

Why it matters

Tabnabbing attack: user clicks an external link, the new tab rewrites the original tab to a phishing clone. Modern browsers default to noopener for cross-origin but explicit is safer and Safari was slower to adopt.

search

How our audit detects it

Parse all `<a target="_blank">` tags. Flag those missing rel="noopener" or rel="noreferrer".

Typical findings

  • error_outline<a href="https://partner.com" target="_blank"> without rel attribute.
  • error_outlineDynamically created links missing rel.

How to fix

Add `rel="noopener noreferrer"` to every target="_blank" link. Configure your framework or CMS to do this by default.

Frequently asked questions

noopener vs noreferrer?expand_more
noopener blocks window.opener access. noreferrer does that AND strips the Referer header. Ship both for max safety.

Want this checked on your site?

Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.

Scan my site

Related checks

Security

HTTPS Enabled

Checks that the site serves over HTTPS and redirects HTTP to HTTPS.

Security

TLS Version

Checks that the server uses TLS 1.2 or higher — older versions are broken.

Security

Mixed Content

Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.

Security

SSL Certificate

Checks that the SSL certificate is valid, not expired, and not expiring soon.

Learn more in the Glossaryarrow_forward