webentity
Learn/Technical SEO

noreferrer

TL;DRrel="noreferrer" tells the browser not to send the Referer header when following a link. It hides which page sent the user. It does not affect link equity - that's nofollow.

What is noreferrer?

noreferrer is a value for the rel attribute on HTML links. When set, the browser does not send the Referer header to the destination, and the destination cannot access window.opener.

The Referer header normally tells the destination which URL the user clicked from. noreferrer removes that signal, so the destination just sees a visit with no source.

Why it matters

Privacy. The Referer header can leak sensitive information from your URL: a customer ID in a dashboard path, a search query in a results page, a token embedded in a preview link. noreferrer prevents that leak when users click outbound links from those pages.

Analytics on the receiving end. With noreferrer, the destination's analytics will record the visit as "direct traffic" instead of attributing it to your site. This is sometimes desired (privacy) and sometimes a downside (you stop showing up in their referrer reports).

It also blocks window.opener. noreferrer implies noopener in modern browsers, so it doubles as a tabnabbing defence on target="_blank" links. That's why rel="noopener noreferrer" together is the common pattern.

What it does not do. A common mistake: people add rel="noreferrer" thinking it tells Google not to pass link equity to the destination. It doesn't. The attribute Google looks at for that is rel="nofollow" (and the newer rel="ugc" and rel="sponsored"). noreferrer controls the Referer header, not link equity. If you want to signal "don't endorse this destination" to Google, use rel="nofollow".

How it actually works

<a href="https://example.com/" rel="noreferrer">
  Example
</a>

When the user clicks this link, the request to example.com goes out without a Referer header. The destination sees the visit but not the source URL.

For links opening in a new tab, pair it with noopener to keep the explicit security intent:

<a href="https://example.com/" target="_blank" rel="noopener noreferrer">
  Example
</a>

Page-wide alternative. If you want noreferrer behaviour on every outbound link from a page, set the Referrer Policy at the document level:

<meta name="referrer" content="no-referrer" />

Or in HTTP headers:

Referrer-Policy: no-referrer

For most sites, a stricter policy like strict-origin-when-cross-origin (the modern browser default) is a better balance: it sends the origin only, not the full path, on cross-site navigations.

Common mistakes:

  • Confusing noreferrer with nofollow (different attributes, different jobs)
  • Adding noreferrer to internal same-origin links where it just hurts your own analytics
  • Setting Referrer-Policy: no-referrer site-wide when only a few pages actually need it - you lose attribution data from outbound clicks across the whole site

How webentity handles this

Across a webentity codebase, outbound target="_blank" links carry rel="noopener noreferrer" by convention - applied at every call site rather than added by a renderer plugin, so the attribute is visible in the markup at every link.

For pages where the URL itself can carry sensitive parameters (preview links, audit reports, customer-scoped views), the document-level Referrer Policy is set tighter than the global default, so even links written without an explicit noreferrer don't leak the full path to third parties.

← All learn entries