diff --git a/server/modules/rendering/html-core/definition.yml b/server/modules/rendering/html-core/definition.yml
index c11da260..2fe4783c 100644
--- a/server/modules/rendering/html-core/definition.yml
+++ b/server/modules/rendering/html-core/definition.yml
@@ -18,3 +18,12 @@ props:
     title: Open external links in a new tab
     hint: External links will have a _blank target attribute added automatically.
     order: 2
+  relAttributeExternalLink:
+    type: String
+    default: noreferrer
+    title: Protect against XSS when opening _blank target links
+    hint: External links with _blank attribute will have an additional rel attribute.
+    order: 3
+    enum:
+        - noreferrer
+        - noopener
diff --git a/server/modules/rendering/html-core/renderer.js b/server/modules/rendering/html-core/renderer.js
index 55cb4318..50c2947f 100644
--- a/server/modules/rendering/html-core/renderer.js
+++ b/server/modules/rendering/html-core/renderer.js
@@ -115,6 +115,7 @@ module.exports = {
         $(elm).addClass(`is-external-link`)
         if (this.config.openExternalLinkNewTab) {
           $(elm).attr('target', '_blank')
+          $(elm).attr('rel', this.config.relAttributeExternalLink)
         }
       }
 
diff --git a/server/modules/rendering/html-security/renderer.js b/server/modules/rendering/html-security/renderer.js
index 4e40e654..21d44fef 100644
--- a/server/modules/rendering/html-security/renderer.js
+++ b/server/modules/rendering/html-security/renderer.js
@@ -6,7 +6,7 @@ module.exports = {
       input = xss(input, {
         whiteList: {
           ...xss.whiteList,
-          a: ['class', 'id', 'href', 'style', 'target', 'title'],
+          a: ['class', 'id', 'href', 'style', 'target', 'title', 'rel'],
           blockquote: ['class', 'id', 'style'],
           code: ['class', 'style'],
           details: ['class', 'style'],