The static pages I write are mostly by hand using simple HTML.
Jinja is used to reduce boilerplate,
but the bulk of the website contains nothing fancy —
is it really
made with <3 if it's not written by hand?
Everything is previewed locally (
$ python3 -m http.server) before being rsync'd off to a remote server.
Everything is simple.
Because that's how the web should be.
And if you're doing it any other way, you're probably doing it wrong.
Of course, there are a few exceptions. The tediousness of rendering the Jinja templates and remembering to update PGP signatures (where applicable) have been automated away with a GNU makefile. The webserver hosting these files has been hardened to use the strongest ciphers, HSTS, and DNSSEC, along with some other security tweaks. Because, well, security is important. But that's all. The rest is kept as simple as possible.
The body of every page I author is invisibly signed with OpenPGP. The signature is always updated along with the content, and can be verified by obtaining the source and checking to make sure it was signed with my key. For example:
$ curl -sSL https://anaveragehuman.eu.org/~jlin | gpg --verify
Note that while the content and its delivery is secure, the rendering may not be. When in doubt, trust only the source.