[superkuh]

This is the way. It's great for templating with .html fragments, extremely easy to maintain and has almost no attack surface. I don't know what "Caddy's template" is but HTML/CSS + SSI for gluing the fragments together is what peak personal website performance looks like.

[y3k]

SSI is supported by "old battle tested" servers like Apache or Nginx, there's a "new guy on the block" that I find quite promissing: Caddy[0] however it doesn't support SSI, instead they have some built-in template engine that is a bit more powerful than old SSI but can achieve the same result.

[0]: caddyserver.com

[tannhaeuser]

> Almost no attack surface

I guess you mean because SSI is just a very limited mechanism as opposed to full blown Turing complete PHP or similar. But actually if the fragments/partials you include via SSI are user-posted content (comments) or syndicated content then of course SSI can't fence against <script> or other injections. In that case, you could use more sophisticated SGML mechanisms (other than SGML processing instructions as used by PHP or magic SGML comments as used by SSI) such as entity reference expansion that come with full type checking and context-dependent validity assessment for filtering all kind of injections (script elements, event handler attributes, image or link href injections or whatever). But you should at least use content-security-policy headers to block inline script.