[kodah]

Just to build on this, there are RCEs that involve overflowing headers; Go just had one not that long ago. There's plenty of inputs on a GET request. You still need to do proper security on a static site.

[jameshart]

Or.. a commodity static hosting provider can do proper security for you.

I don’t tend to worry about the RCE risk of hosting files in an S3 bucket behind a cloudfront distribution. That’s someone else’s problem.

[snowwrestler]

Commodity hosting with proper security is also available for dynamic website technologies.