Language-based security applies programming language techniques to provide rigorous security and privacy guarantees across computer systems. In this talk, we focus on securing web-driven systems that heavily rely on third-party code, specifically Trigger-Action Platforms (TAPs) and browser extensions. Both increasingly popular systems empower users to develop and publish apps that enhance digital lives through smart automation and personalized web browsing, respectively. We review vulnerabilities identitifed in popular TAP apps and how to prevent malicious behavior by sandboxing and fine-grained access control. To minimize data access for TAPs with user-configured apps, we also present a construction-by-design paradigm for on-demand data minimization using lazy computation. Besides access control and minimization, we study how sensitive information is processed once access is granted, using information-flow analysis. We discuss privacy risks in browser extensions, such as exfiltration of cookies and browsing history over the network. We present a static analysis framework to track flows from user-sensitive data to network requests in browser extensions.