diff --git a/frontend/eslint.config.js b/frontend/eslint.config.js
index 79384407..4488ca79 100644
--- a/frontend/eslint.config.js
+++ b/frontend/eslint.config.js
@@ -77,7 +77,11 @@ export default defineConfig(
 			// defense (the CI regex stays as a backstop). For any legitimate use (e.g.
 			// trusted server-rendered Markdown), suppress with an inline
 			// `<!-- eslint-disable-next-line svelte/no-at-html-tags -->` and a justification.
-			'svelte/no-at-html-tags': 'error'
+			'svelte/no-at-html-tags': 'error',
+			// Reverse-tabnabbing (CWE-1022): any `target="_blank"` anchor must carry
+			// `rel="noopener noreferrer"`, or the opened page can hijack window.opener.
+			// Catches the pattern at lint time instead of relying on review. See #708.
+			'svelte/no-target-blank': ['error', { allowReferrer: false, enforceDynamicLinks: 'always' }]
 		}
 	},
 	{