Add security note for rel="noreferrer” attribute

sindresorhus · sindresorhus · commit f35c544a5e08 · 2025-09-10T19:44:52.000+07:00
Fixes #32
diff --git a/index.d.ts b/index.d.ts
@@ -3,6 +3,19 @@ import {type HTMLAttributes} from 'create-html-element';
 export type Options = {
 	/**
 	HTML attributes to add to the link.
+
+	Security note: For external links, consider adding `rel: 'noreferrer'` to prevent the linked page from accessing `window.opener` and to avoid sending referrer information.
+
+	@example
+	```
+	linkifyUrlsToHtml('Visit https://example.com', {
+		attributes: {
+			rel: 'noreferrer',
+			target: '_blank'
+		}
+	});
+	//=> 'Visit <a href="https://example.com" rel="noreferrer" target="_blank">https://example.com</a>'
+	```
 	*/
 	readonly attributes?: HTMLAttributes;
 
diff --git a/readme.md b/readme.md
@@ -58,6 +58,18 @@ Type: `object`
 
 HTML attributes to add to the link.
 
+**Security note:** For external links, consider adding `rel: 'noreferrer'` to prevent the linked page from accessing `window.opener` and to avoid sending referrer information. This helps protect against reverse tabnabbing attacks and preserves user privacy:
+
+```js
+linkifyUrlsToHtml('Visit https://example.com', {
+	attributes: {
+		rel: 'noreferrer',
+		target: '_blank'
+	}
+});
+//=> 'Visit <a href="https://example.com" rel="noreferrer" target="_blank">https://example.com</a>'
+```
+
 ##### value
 
 Type: `string | Function`\
