Comment by wildpeaks

Sticking to this rule has served me well over the years:

- resources that are dynamically-generated are served by API endpoints, therefore known locations with predictable parameters

- everything else must be static files

And definitely no dynamic script as the fallback rule, it's too wasteful in an era of crawlers that ignore robots.txt and automated vulnerability scanners.

A backend must be resilient.