Software as a Service (SaaS) is the idea of pushing software and data from the desktop to the Web. For instance, Google Docs is an office suite that is accessible from the web. These web applications are very popular because they are easy to deploy and they can invoke other external building blocks supplied by third parties, also called "mashups". Yet, developing correct and secure web applications is complex because developers are required to reason about distributed computation and to write code using heterogeneous languages, often not originally designed with distributed computing in mind. Testing is the common way to catch bugs and vulnerabilities as current technologies provide limited support. There are doubts this can scale up to meet the expectations of more sophisticated web applications. As a preliminary work, we proposed a type-safe programming language for the web called "Qwesst". We used it to express safe interaction patterns commonly found on the Web as well as more sophisticated forms that are beyond current web technologies. In this project, we proposed to extend Qwesst with security features to provide a way for the programmer to control data dissemination. At first, we plan to extend the type system to be able to infer the data flow. Secondly, we plan to extend the language with operators to allow the programmer to specify an information flow policy. The goal is to check that data flow is allowed by the security policy specified by the programmer.