The development of web applications is typically done oblivious to privacy precautions. Largely, this is due to lack of technical knowledge and appropriate tools for enforcing privacy. As a result, web users’ personal information is constantly at risk. We introduce a solution that protects arbitrary web applications from several dangerous privacy threats. It is easy to install, usable (e.g., in terms of expressiveness and appropriate enforcement), and requires no changes to the web application’s code. Its main functionality is given by modules that are situated between web server and user, and between web server and APIs. These modules assign a privacy tag to inbound data according to its origin (e.g., received through a web form field or stored in an internal database); and block outbound data according to its privacy tag, what is its destination, and its syntax. This allows us, for example, to block private data from being exposed to users. We have implemented a prototype for the PHP platform that is efficient in terms of CPU and memory usage. We also verified that it enforces privacy in several potentially-vulnerable scenarios.