When you link to an external website and have it open in a new tab using `target=”_blank”`, you might be unknowingly opening a security backdoor on your own site. An unsafe cross-origin link is one that omits the `rel=”noopener”` attribute, creating a vulnerability that can be exploited by malicious actors. While this doesn’t have a direct impact on your SEO rankings, it’s a critical security issue that can harm your users and your site’s reputation.

Think of it as giving a stranger a key to your house. The `target=”_blank”` attribute, without the proper security measures, allows the newly opened page to have partial control over the original page. This can be used for “tabnapping,” where the new page redirects your page to a phishing site. For a broader look at website security, see our guide on all things security.

An illustration showing a secure link with a lock, contrasted with an unsafe link that has an open backdoor.

The SEO Impact of Unsafe Cross-Origin Links

While unsafe cross-origin links are not a direct ranking factor, they have several indirect benefits for SEO:

  • Improved User Trust: A secure connection, enforced by HSTS, builds trust with your users, who are more likely to engage with and convert on a site they know is secure.
  • Prevents Hacking: A compromised site can be severely penalized or removed from search results entirely. HSTS is a powerful defense against attacks that could lead to this.

Best Practices for Secure Cross-Origin Links

For a comprehensive guide on this topic, check out this resource from Ahrefs.

Example: Securing a Cross-Origin Link

<!-- Before: Unsafe cross-origin link --> <a href="https://externalsite.com" target="_blank">External Site</a> <!-- After: Secure cross-origin link --> <a href="https://externalsite.com" target="_blank" rel="noopener noreferrer">External Site</a>

For more on this topic, see our guide on on-page SEO.

Frequently Asked Questions

What is an unsafe cross-origin link?

An unsafe cross-origin link is a hyperlink that opens in a new tab using `target=”_blank”` without including the `rel=”noopener”` attribute. This creates a security vulnerability known as ‘tabnapping’, which can allow the new page to maliciously manipulate the original page.

What are the risks of implementing HSTS incorrectly?

If you implement HSTS without a fully functional SSL certificate, or if you have mixed content issues, you can make your site inaccessible to users. It’s a powerful directive that should be implemented with care.

Should I use ‘noopener’, ‘noreferrer’, or both?

For maximum security and browser compatibility, it is best practice to use both `rel=”noopener noreferrer”` on all links that use `target=”_blank”`. Most modern CMS platforms, like WordPress, do this automatically.

Are your external links leaving you vulnerable? Use Creeper to audit your links and ensure they are secure.