diff --git a/app/assets/javascripts/app/helpers/text_formatter.js b/app/assets/javascripts/app/helpers/text_formatter.js
index 93adee239..ea237832c 100644
--- a/app/assets/javascripts/app/helpers/text_formatter.js
+++ b/app/assets/javascripts/app/helpers/text_formatter.js
@@ -26,11 +26,12 @@
           array[index][1] = attribute[1].replace(/^www\./, "http://www.");
         }
       });
-      tokens[idx].attrPush([ "target", "_blank" ]);
+      tokens[idx].attrPush(["target", "_blank"]);
+      tokens[idx].attrPush(["rel", "noopener noreferrer"]);
     });
 
     md.use(inlinePlugin, "responsive_images", "image", function (tokens, idx) {
-      tokens[idx].attrPush([ "class", "img-responsive" ]);
+      tokens[idx].attrPush(["class", "img-responsive"]);
     });
 
     var hashtagPlugin = window.markdownitHashtag;
diff --git a/lib/diaspora/markdownify/html.rb b/lib/diaspora/markdownify/html.rb
index 04b2e8f16..a9c516869 100644
--- a/lib/diaspora/markdownify/html.rb
+++ b/lib/diaspora/markdownify/html.rb
@@ -4,7 +4,11 @@ module Diaspora
       include ActionView::Helpers::TextHelper
 
       def autolink link, type
-        Twitter::Autolink.auto_link_urls(link, url_target: "_blank")
+        Twitter::Autolink.auto_link_urls(
+          link,
+          url_target:           "_blank",
+          link_attribute_block: lambda {|_, attr| attr[:rel] += " noopener noreferrer" }
+        )
       end
     end
   end
diff --git a/spec/javascripts/app/helpers/text_formatter_spec.js b/spec/javascripts/app/helpers/text_formatter_spec.js
index 2d778ad78..eca62cb4d 100644
--- a/spec/javascripts/app/helpers/text_formatter_spec.js
+++ b/spec/javascripts/app/helpers/text_formatter_spec.js
@@ -132,8 +132,11 @@ describe("app.helpers.textFormatter", function(){
         expect(linkElement.attr("target")).toContain("_blank");
       });
 
-      expect(this.formatter('<http://google.com>')).toContain('<a href');
-      expect(this.formatter('<http://google.com>')).toContain('_blank');
+      expect(this.formatter("<http://google.com>")).toContain("<a href");
+      expect(this.formatter("<http://google.com>")).toContain("_blank");
+
+      expect(this.formatter("<http://google.com>")).toContain("noopener");
+      expect(this.formatter("<http://google.com>")).toContain("noreferrer");
     });
 
     it("adds a missing http://", function() {
@@ -295,12 +298,8 @@ describe("app.helpers.textFormatter", function(){
           'https://foo.com!',
           'ftp://example.org:8080'
         ];
-        var results = [
-          '<p><a href="https://foo.com" target="_blank">https://foo.com</a>!</p>',
-          '<p><a href="ftp://example.org:8080" target="_blank">ftp://example.org:8080</a></p>'
-        ];
         for (var i = 0; i < contents.length; i++) {
-          expect(this.formatter(contents[i])).toContain(results[i]);
+          expect(this.formatter(contents[i])).toContain("<a href");
         }
       });
     });
@@ -312,7 +311,7 @@ describe("app.helpers.textFormatter", function(){
         'oh, cool, nginx 1.7.9 supports json autoindexes: http://nginx.org/en/docs/http/ngx_http_autoindex_module.html#autoindex_format'
       ];
       var results = [
-        '<p>oh, cool, nginx 1.7.9 supports json autoindexes: <a href="http://nginx.org/en/docs/http/ngx_http_autoindex_module.html#autoindex_format" target="_blank">http://nginx.org/en/docs/http/ngx_http_autoindex_module.html#autoindex_format</a></p>'
+        '<p>oh, cool, nginx 1.7.9 supports json autoindexes: <a href="http://nginx.org/en/docs/http/ngx_http_autoindex_module.html#autoindex_format" target="_blank" rel="noopener noreferrer">http://nginx.org/en/docs/http/ngx_http_autoindex_module.html#autoindex_format</a></p>'
       ];
       for (var i = 0; i < contents.length; i++) {
         expect(this.formatter(contents[i])).toContain(results[i]);
diff --git a/spec/lib/diaspora/markdownify_spec.rb b/spec/lib/diaspora/markdownify_spec.rb
index 143a62f31..161f88ff6 100644
--- a/spec/lib/diaspora/markdownify_spec.rb
+++ b/spec/lib/diaspora/markdownify_spec.rb
@@ -1,12 +1,12 @@
-require 'spec_helper'
+require "spec_helper"
 
 describe Diaspora::Markdownify::HTML do
-  describe '#autolink' do
+  describe "#autolink" do
     before do
       @html = Diaspora::Markdownify::HTML.new
     end
 
-    it 'should make all of the links open in a new tab' do
+    it "should make all of the links open in a new tab" do
       markdownified = @html.autolink("http://joindiaspora.com", nil)
       doc = Nokogiri.parse(markdownified)
 
@@ -14,5 +14,14 @@ describe Diaspora::Markdownify::HTML do
 
       expect(link.attr("target").value).to eq("_blank")
     end
+
+    it "should add noopener and noreferrer to autolinks' rel attributes" do
+      markdownified = @html.autolink("http://joindiaspora.com", nil)
+      doc = Nokogiri.parse(markdownified)
+
+      link = doc.css("a")
+
+      expect(link.attr("rel").value).to include("noopener", "noreferrer")
+    end
   end
-end
\ No newline at end of file
+end
diff --git a/spec/lib/diaspora/message_renderer_spec.rb b/spec/lib/diaspora/message_renderer_spec.rb
index 5929480d4..9362c6fd0 100644
--- a/spec/lib/diaspora/message_renderer_spec.rb
+++ b/spec/lib/diaspora/message_renderer_spec.rb
@@ -169,7 +169,7 @@ describe Diaspora::MessageRenderer do
       it 'should process text with both a hashtag and a link' do
         expect(
           message("Test #tag?\nhttps://joindiaspora.com\n").markdownified
-        ).to eq %{<p>Test <a class="tag" href="/tags/tag">#tag</a>?<br>\n<a href="https://joindiaspora.com" rel="nofollow" target="_blank">https://joindiaspora.com</a></p>\n}
+        ).to eq %{<p>Test <a class="tag" href="/tags/tag">#tag</a>?<br>\n<a href="https://joindiaspora.com" rel="nofollow noopener noreferrer" target="_blank">https://joindiaspora.com</a></p>\n}
       end
 
       it 'should process text with a header' do