Nice. I've done this in the past. But I feel like attempting to make a file serving http server is like adding preservants and high fructose corn syrup to home made baked goods.
You have the opportunity to really make something custom and of high quality, hard code the paths of your files and avoid a whole class of vulnerabilities for example.
Configuration files? That makes sense when programmer and sysadmin are distinct, you can just modify variables and recompile.
Once at a certain level of complexity, e.g. having several hundred/thousand resources, then you start automating your hardcoded paths, and then you still can get bitten.
vs just putting things in a subfolder of your repo or whatever and having the default handling not accept `..` path components
From a security perspective a lot of changes to this world would be an upgrade. However implementing security features is always a trade off, and sometimes good security is just not worth the loss of other things.
My favourite phenomenon is when (computer) security gets in the way of (actual) security.
For example, you implement a super secure solution and no one hacks your website, but you end up being very unproductive and can't find a job. You lost food security.
In covid, bank systems in my country were so hard to use, there were like 6 passwords to login. Not only was usability compromised in the sense of security, but people, especially old people, started lining up in banks, compromising health security.
To say nothing of the scenarios were users just bypass obnoxious exaggerated security systems, like leaving a post-it note with a password on their screens.
You have the opportunity to really make something custom and of high quality, hard code the paths of your files and avoid a whole class of vulnerabilities for example.
Configuration files? That makes sense when programmer and sysadmin are distinct, you can just modify variables and recompile.