Security in Haskell isn't especially better than any other general purpose language. You do have a lot more tools to help though. For instance, you can make your web app fail to compile if you accidentally try to serialize sensitive information to JSON or plaintext. GHC will tell you exactly where you almost had a data leak.

It's actually a bit harder than you're implying, because any request coming to the server could have sensitive information in it.

But, yes, wrapping your data helps solve some of the problem in any language. For instance, in Java we hold passwords from requests with a Password class rather than with a String class, whose .toString will return "xx" rather than the actual password.

I was asking about IHP specifically. Yes Haskell is just a tool and one could simply build PHP with it.

Security is resilience with respect to your threat model. The usual security objectives are confidentiality, integrity, and availability.

Nothing is "secure" forever and ever. For each objective you need to state some assumptions that are required to uphold it.

Haskell allows you to express more assumptions in code, not just comments, to be enforced at compile time. And with some careful handling Haskell types provide a solid foundation without going into full deductive verification mode.

One example of security is not munging strings together and shipping it off to the database or some other "eval" with full privileges. A programming language with lightweight static types makes it easier to parse outside data into a typed representation, then transform/evaluate/compile as necessary. This is of course Haskell's bread and butter.